[WEB SECURITY] Password Recovery

Lyal Collins lyal.collins at key2it.com.au
Wed Jun 15 19:11:47 EDT 2005


An interesting issue.
Coping with valid, real-world situations is critical for external
users/customers - internal staff  accounts are a different matter and
ignored for a moment.

A case in point - a housemate wants to use an established paypal account,
password is forgotten.
The list of questions is a killer - e.g. phone number used to register (that
was 3 moves ago, number forgotten), address used to register has been
forgotten, the email address used is on of several used at an ISP several
ISPs ago etc.
Can't register a new paypal account, since the same credit card can't be
used for 2 different accounts.
Result = 1 lost customer to every Paypal merchant in the world.

On their own, these are good measures.
In the real world, these have a real impact to real people.
The process has to cope with all sorts of user skills, memories etc

In my view, the same occurs to a significant portion of the external user
with any 'secret question' methodology - if someone is too forgetful to
remember a password, they'll chose a _very_ simple question/answer, and
probably to same response at lots of sites - banking, insurance,
chat/msn/yahoo/irc, community forums etc.  Or, users will write the info
down down.
In effect, encouraging the spread of duplicate copies of the 'authentication
of last resort' information.

A phone desk where the user can be talked through lots of verifying details
is going to better than a single question/answer phase.

Authenticaiton is expensive to maintain, but so is lost money and
credibility (think banks,  paris hilton and T-Mobile?)


Regards,
Lyal


-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com] 
Sent: Thursday, 16 June 2005 8:25 AM
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Password Recovery


I agree that using secret questions alone isnt't the best idea, however 
they still can be of use. The challenge is selecting the right password 
recovery model, or combination of models, for the system we're 
securing. Low security vs. high security - easy vs. inconvenient.

Currently, I'm a fan of the password reset request using email 
verification (All the usual precautions taken of course). This does 
require a registered email address, but for the user it's simple, easy, 
and a fairly secure process.

For the more secure systems we can consider combining knowledge or 
usernames, email address, secret questions, etc.

Jeremiah-



On Wednesday, June 15, 2005, at 02:31  PM, Dave King wrote:

> Hi All-
>    I was wondering what everyone's opinion is on good password
> recovery options for a web application.  In OWASP's penetration 
> testing document it says "Ensure that the user must respond to a 
> secret answer or secret question or other predetermined information 
> before passwords can be reset."  However Bruce Schneier and others 
> disagree, check out this blog post 
> http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html .  
> Basically he says these secret questions drastically lessen security 
> because it's easier to guess the answer to the secret question than it 
> is to guess the password.  Does anyone have any opinion on this or 
> have found another solution that works well?
>
> Thanks,
> Dave King


---------------------------------------------------------------------
The Web Security Mailing List http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list