[WEB SECURITY] Password Recovery

ams67 ams67 at ihug.co.nz
Fri Jun 17 13:44:48 EDT 2005



-----Original Message-----
From: ulrich.boche at sva.de [mailto:ulrich.boche at sva.de] 
Sent: Friday, 17 June 2005 11:57 p.m.
To: websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Password Recovery

On Thursday, 16.06.2005 at 02:12ZE12, "ams67" <ams67 at ihug.co.nz> wrote:
> Let's not forget that emails go across the network in clear text (if not
> encrypted of course). Also it will push the user to save the email for
> future reference (bad idea). Therefore I would never send sensitive
> information such as user credential via email. Furthermore if the user
can
> retrieve the password it means that the Web application is either storing
> the password in clear text or using reversible encryption, both a bad
> security practice.
> IMHO lost passwords should not be retrieved at all. The web application
> should force the user to reset the password following something similar
to
> the following procedure:
>
> 1. Send the user an e-mail to the address specified to the account. This
> will alert the user that a request of changing password has been
initiated.
> The email contains also a secure web link (link) and a provisional
password
> (will expire, let's say, within 48h) that will allow the user to access
the
> secure web link (https).
>
> 2. After logging to the secure web link the user should answer one or
more
> preselected secret questions (e.g policy insurance number or/and date of
> birth). This will prevent random anonymous attacks.
>
> 3. Finally the web application will show a form where the user can input
the
> new password.
>
> 4. The application will send an email to the user confirming that the
> password has been changed.
>
> In other words lost passwords should be treated as a security event.
>
> Cheers
> Antonio Spera
> Senior Security Analyst
>

Unfortunately, your approach is rather susceptible to a phishing attack.
Specifically the "Secure link" within the email is a bad idea because it
can be manipulated at will.
--
Ulrich Boche
SVA GmbH, Germany


-------------------------------------------------------------------------

If the user will not check the details of the digital certificate, than yes,
the approach can be susceptible to a phishing attack. However, most of the
latest browsers have a build in anti-phishing feature.
--
Antonio Spera


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list