[WEB SECURITY] Password Recovery

dpw dainw at fsr.com
Thu Jun 16 11:31:55 EDT 2005


Back to the original issue... IMHO, people have to carry around too many
passwords which necessitates them adopting some sort of "throwaway"
password, which leads to them forgetting the password two weeks later.

I recently wrote a security system that didn't use username/passwords at all
for authentication. I relied entirely on allowing the user to provide their
own memorable secret question, and their own memorable answer. 

Why would I go against Bruce Schneier on this? Well, besides the fact that I
intriniscally "don't know better", I felt that it is easier for a person to
remember a lengthy "normal language" sentence than it is to remember a short
"gobbledegook" password string. 

I realized that the "throwaway" password string people normally use is not
secure at all from a brute force standpoint, and even if a 10 word sentence
is all "normal language", it's immeasurably harder to brute force. To beef
up the system even further, I only allow them 3 tries to type in their
answer before I lock them out by IP, session & cookie.

But I digress - the point is, my users are using incredibly long, easy to
remember "passwords", happily, and they're not forgetting them. In fact, I
hear a lot about how much they like the system, and wish other sites did
this. Of course, when I read what Bruce had to say about this, I was a
little dismayed.... and who wouldn't be?

Dain White
Senior Developer - Webmaster
First Step Internet, L.L.C.
www.fsr.com | www.fsr.net




-----Original Message-----
From: Ofer Maor [mailto:ofer.hacktics at gmail.com] 
Sent: Wednesday, June 15, 2005 4:20 PM
To: websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Password Recovery


I have to say I agree with Bruce here. 

The secret questions as a password recovery mean are pretty lame. With many
of the questions being too trivial or have too trivial answers, I have had
success many times while perfroming pentests in breaking into the
application throuhg the password recover scheme. 

With that said, we still need to see what we do about password recovery.
Personally, I believe that in highly sensitive applications (such as online
banking/insurance/etc.) - password recovery should be left for phone based
customer support. For others, there are some reasonably more secure
mechanisms, mainly such that rely both on a secret question, as well as
email verification of the user.

Basically - a user wants to recover his password, the user is instructed to
enter the username AND the email address. If the email address matches the
username, and email is sent to the user, with a link to the secret question
page. Only then, after the user has been verified once through the email,
the user gets the chance to enter the answer to the secret question. Now,
this is not a completely safe solution (emails can be sniffed, etc.), but I
think it's a few degrees tougher to break than just working on the secret
question and having your password reset.

Ofer.


---
Ofer Maor
CTO
Hacktics (http://www.hacktics.com/)


-----Original Message-----
From: Dave King [mailto:davefd at davewking.com] 
Sent: Wednesday, June 15, 2005 23:31
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Password Recovery


Hi All-
    I was wondering what everyone's opinion is on good password recovery 
options for a web application.  In OWASP's penetration testing document 
it says "Ensure that the user must respond to a secret answer or secret 
question or other predetermined information before passwords can be 
reset."  However Bruce Schneier and others disagree, check out this blog 
post http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html 
.  Basically he says these secret questions drastically lessen security 
because it's easier to guess the answer to the secret question than it 
is to guess the password.  Does anyone have any opinion on this or have 
found another solution that works well?

Thanks,
Dave King


---------------------------------------------------------------------
The Web Security Mailing List http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list