[WEB SECURITY] Password Recovery

ulrich.boche at sva.de ulrich.boche at sva.de
Fri Jun 17 07:56:30 EDT 2005


On Thursday, 16.06.2005 at 02:12ZE12, "ams67" <ams67 at ihug.co.nz> wrote:
> Let's not forget that emails go across the network in clear text (if not
> encrypted of course). Also it will push the user to save the email for
> future reference (bad idea). Therefore I would never send sensitive
> information such as user credential via email. Furthermore if the user
can
> retrieve the password it means that the Web application is either storing
> the password in clear text or using reversible encryption, both a bad
> security practice.
> IMHO lost passwords should not be retrieved at all. The web application
> should force the user to reset the password following something similar
to
> the following procedure:
>
> 1. Send the user an e-mail to the address specified to the account. This
> will alert the user that a request of changing password has been
initiated.
> The email contains also a secure web link (link) and a provisional
password
> (will expire, let's say, within 48h) that will allow the user to access
the
> secure web link (https).
>
> 2. After logging to the secure web link the user should answer one or
more
> preselected secret questions (e.g policy insurance number or/and date of
> birth). This will prevent random anonymous attacks.
>
> 3. Finally the web application will show a form where the user can input
the
> new password.
>
> 4. The application will send an email to the user confirming that the
> password has been changed.
>
> In other words lost passwords should be treated as a security event.
>
> Cheers
> Antonio Spera
> Senior Security Analyst
>

Unfortunately, your approach is rather susceptible to a phishing attack.
Specifically the "Secure link" within the email is a bad idea because it
can be manipulated at will.
--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list