[WEB SECURITY] Password Recovery

ams67 ams67 at ihug.co.nz
Wed Jun 15 10:12:25 EDT 2005


Let's not forget that emails go across the network in clear text (if not
encrypted of course). Also it will push the user to save the email for
future reference (bad idea). Therefore I would never send sensitive
information such as user credential via email. Furthermore if the user can
retrieve the password it means that the Web application is either storing
the password in clear text or using reversible encryption, both a bad
security practice.
IMHO lost passwords should not be retrieved at all. The web application
should force the user to reset the password following something similar to
the following procedure:

1. Send the user an e-mail to the address specified to the account. This
will alert the user that a request of changing password has been initiated.
The email contains also a secure web link (link) and a provisional password
(will expire, let's say, within 48h) that will allow the user to access the
secure web link (https).

2. After logging to the secure web link the user should answer one or more
preselected secret questions (e.g policy insurance number or/and date of
birth). This will prevent random anonymous attacks.

3. Finally the web application will show a form where the user can input the
new password.

4. The application will send an email to the user confirming that the
password has been changed.

In other words lost passwords should be treated as a security event.

Cheers
Antonio Spera	
Senior Security Analyst

-----Original Message-----
From: dpw [mailto:dainw at fsr.com] 
Sent: Thursday, 16 June 2005 10:34 a.m.
To: websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Password Recovery

Just thinking out loud, what if the user had to provide their username and
answered their secret question - and only then would the password be emailed
to the email address that matches the account? 

Seems like that'd at least preseve some semblance of multi-factor
authentication.

Dain White
Senior Developer - Webmaster
First Step Internet, L.L.C.
www.fsr.com | www.fsr.net




-----Original Message-----
From: Ofer Maor [mailto:ofer.hacktics at gmail.com] 
Sent: Wednesday, June 15, 2005 4:20 PM
To: websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Password Recovery


I have to say I agree with Bruce here. 

The secret questions as a password recovery mean are pretty lame. With many
of the questions being too trivial or have too trivial answers, I have had
success many times while perfroming pentests in breaking into the
application throuhg the password recover scheme. 

With that said, we still need to see what we do about password recovery.
Personally, I believe that in highly sensitive applications (such as online
banking/insurance/etc.) - password recovery should be left for phone based
customer support. For others, there are some reasonably more secure
mechanisms, mainly such that rely both on a secret question, as well as
email verification of the user.

Basically - a user wants to recover his password, the user is instructed to
enter the username AND the email address. If the email address matches the
username, and email is sent to the user, with a link to the secret question
page. Only then, after the user has been verified once through the email,
the user gets the chance to enter the answer to the secret question. Now,
this is not a completely safe solution (emails can be sniffed, etc.), but I
think it's a few degrees tougher to break than just working on the secret
question and having your password reset.

Ofer.


---
Ofer Maor
CTO
Hacktics (http://www.hacktics.com/)


-----Original Message-----
From: Dave King [mailto:davefd at davewking.com] 
Sent: Wednesday, June 15, 2005 23:31
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Password Recovery


Hi All-
    I was wondering what everyone's opinion is on good password recovery 
options for a web application.  In OWASP's penetration testing document 
it says "Ensure that the user must respond to a secret answer or secret 
question or other predetermined information before passwords can be 
reset."  However Bruce Schneier and others disagree, check out this blog 
post http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html 
.  Basically he says these secret questions drastically lessen security 
because it's easier to guess the answer to the secret question than it 
is to guess the password.  Does anyone have any opinion on this or have 
found another solution that works well?

Thanks,
Dave King


---------------------------------------------------------------------
The Web Security Mailing List http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list