[WEB SECURITY] Password Recovery

Ofer Maor ofer.hacktics at gmail.com
Wed Jun 15 19:20:01 EDT 2005


I have to say I agree with Bruce here. 

The secret questions as a password recovery mean are pretty lame. With many
of the questions being too trivial or have too trivial answers, I have had
success many times while perfroming pentests in breaking into the
application throuhg the password recover scheme. 

With that said, we still need to see what we do about password recovery.
Personally, I believe that in highly sensitive applications (such as online
banking/insurance/etc.) - password recovery should be left for phone based
customer support. For others, there are some reasonably more secure
mechanisms, mainly such that rely both on a secret question, as well as
email verification of the user.

Basically - a user wants to recover his password, the user is instructed to
enter the username AND the email address. If the email address matches the
username, and email is sent to the user, with a link to the secret question
page. Only then, after the user has been verified once through the email,
the user gets the chance to enter the answer to the secret question. Now,
this is not a completely safe solution (emails can be sniffed, etc.), but I
think it's a few degrees tougher to break than just working on the secret
question and having your password reset.

Ofer.


---
Ofer Maor
CTO
Hacktics (http://www.hacktics.com/)


-----Original Message-----
From: Dave King [mailto:davefd at davewking.com] 
Sent: Wednesday, June 15, 2005 23:31
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Password Recovery


Hi All-
    I was wondering what everyone's opinion is on good password recovery 
options for a web application.  In OWASP's penetration testing document 
it says "Ensure that the user must respond to a secret answer or secret 
question or other predetermined information before passwords can be 
reset."  However Bruce Schneier and others disagree, check out this blog 
post http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html 
.  Basically he says these secret questions drastically lessen security 
because it's easier to guess the answer to the secret question than it 
is to guess the password.  Does anyone have any opinion on this or have 
found another solution that works well?

Thanks,
Dave King


---------------------------------------------------------------------
The Web Security Mailing List http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list