[WEB SECURITY] Password Recovery

Daniel deeper at gmail.com
Wed Jun 15 22:28:17 EDT 2005


Ok as one of the authors of that pentest guide, ill add why i still
think that the password/question is still valid

lets take the scenario which most of the UK internet banks currently do:

- first you need to decide on a secret work, minimum 8 characters with
some kind of mixed case where possible

ok ill choose 1chickenwithmany222cooks

go ahead, guess that one to start

when you forget your password AND even when you log on, your asked to
quote a random selection of characters from that secret password (such
as the 1st and 7th)
Now yeah, theoretically you could guess this, but lets be really
honest here and put some kind of risk rating to this exercise.

hmm hang on, your now asking me to guess random characters from that
as well? oh wait, there is also a option from the app which locks the
user out after 3 failed times?

There is no be all and end all of forgotten password techniques, they
should all be taken into consideration and the best possible solution
used

Now i know im expecting flames from this.. but fire away

Daniel Cuthbert
OWASP.org

On 6/16/05, Rich Salz <rsalz at datapower.com> wrote:
> > Just thinking out loud, what if the user had to provide their username and
> > answered their secret question - and only then would the password be emailed
> > to the email address that matches the account?
> 
> Isn't this standard practice?  "We mailed a password to the email address
> on file."
> 
>         /r$
> --
> Rich Salz                  Chief Security Architect
> DataPower Technology       http://www.datapower.com
> XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
> 
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 
>

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list