[WEB SECURITY] Password Recovery

ams67 ams67 at ihug.co.nz
Fri Jun 17 13:44:48 EDT 2005

-----Original Message-----
From: ulrich.boche at sva.de [mailto:ulrich.boche at sva.de] 
Sent: Friday, 17 June 2005 11:57 p.m.
To: websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Password Recovery

On Thursday, 16.06.2005 at 02:12ZE12, "ams67" <ams67 at ihug.co.nz> wrote:
> Let's not forget that emails go across the network in clear text (if not
> encrypted of course). Also it will push the user to save the email for
> future reference (bad idea). Therefore I would never send sensitive
> information such as user credential via email. Furthermore if the user
> retrieve the password it means that the Web application is either storing
> the password in clear text or using reversible encryption, both a bad
> security practice.
> IMHO lost passwords should not be retrieved at all. The web application
> should force the user to reset the password following something similar
> the following procedure:
> 1. Send the user an e-mail to the address specified to the account. This
> will alert the user that a request of changing password has been
> The email contains also a secure web link (link) and a provisional
> (will expire, let's say, within 48h) that will allow the user to access
> secure web link (https).
> 2. After logging to the secure web link the user should answer one or
> preselected secret questions (e.g policy insurance number or/and date of
> birth). This will prevent random anonymous attacks.
> 3. Finally the web application will show a form where the user can input
> new password.
> 4. The application will send an email to the user confirming that the
> password has been changed.
> In other words lost passwords should be treated as a security event.
> Cheers
> Antonio Spera
> Senior Security Analyst

Unfortunately, your approach is rather susceptible to a phishing attack.
Specifically the "Secure link" within the email is a bad idea because it
can be manipulated at will.
Ulrich Boche
SVA GmbH, Germany


If the user will not check the details of the digital certificate, than yes,
the approach can be susceptible to a phishing attack. However, most of the
latest browsers have a build in anti-phishing feature.
Antonio Spera

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list