[WEB SECURITY] Password Recovery

Al gr at ziano.fsnet.co.uk
Thu Jun 16 06:57:18 EDT 2005

I agree that a password should not be sent back by any means but rather just
reset each time the user forgets it. First, because unless the password is
sent confidentially, it can be sniffed and used successfully. Second, it
implicitly fosters bad practice by allowing users to have a range of
credentials scattered in their mail box, unless they are wise enough to
delete them straight away. 

Sending an email to the user with a secure link and a provisional password
may seem a good approach to prevent random anonymous attacks. However, the
user may be on holiday for two weeks while someone is trying to reset their
password. As we know an email can be sniffed and so the attacker could use
the secure link and provisional password to gain access to the "secret
questions"-answering part and we are back to square one, which is about
using appropriate and not easy to guess secrets.

A better way to do this would be to still send the user an email with a
secure link in it, but send the provisional password elsewhere. For instance
as a text message to the user registered mobile number.

This way, even if the attacker gets hold of the email, the password is
protected in the user's phone, who will also be alerted that a password
reset process has been initiated. If you are on holiday you are more likely
to have your phone with you than your laptop... 


> -----Original Message-----
> From: ams67 [mailto:ams67 at ihug.co.nz]
> Sent: 15 June 2005 15:12
> To: websecurity at webappsec.org
> Subject: RE: [WEB SECURITY] Password Recovery
> Let's not forget that emails go across the network in clear text (if not
> encrypted of course). Also it will push the user to save the email for
> future reference (bad idea). Therefore I would never send sensitive
> information such as user credential via email. Furthermore if the user can
> retrieve the password it means that the Web application is either storing
> the password in clear text or using reversible encryption, both a bad
> security practice.
> IMHO lost passwords should not be retrieved at all. The web application
> should force the user to reset the password following something similar to
> the following procedure:
> 1. Send the user an e-mail to the address specified to the account. This
> will alert the user that a request of changing password has been
> initiated.
> The email contains also a secure web link (link) and a provisional
> password
> (will expire, let's say, within 48h) that will allow the user to access
> the
> secure web link (https).
> 2. After logging to the secure web link the user should answer one or more
> preselected secret questions (e.g policy insurance number or/and date of
> birth). This will prevent random anonymous attacks.
> 3. Finally the web application will show a form where the user can input
> the
> new password.
> 4. The application will send an email to the user confirming that the
> password has been changed.
> In other words lost passwords should be treated as a security event.
> Cheers
> Antonio Spera
> Senior Security Analyst

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list