[WEB SECURITY] Password Recovery

Willie Northway willn at umich.edu
Mon Jun 20 14:41:09 EDT 2005

On Jun 15, 2005, at 10:12 AM, ams67 wrote:
> 1. Send the user an e-mail to the address specified to the account. 
> This
> will alert the user that a request of changing password has been 
> initiated.
> The email contains also a secure web link (link) and a provisional 
> password
> (will expire, let's say, within 48h) that will allow the user to 
> access the
> secure web link (https).

This works well with free throw-away accounts, but isn't so secure with 
accounts that are tied to anything important. Unfortunately, you're 
assuming that the ownership of that domain you're mailing to hasn't 
changed since the email address was registered with your site.

If the domain gets picked up by someone else (because it expires, is 
sold, or is hijacked because it isn't locked), then someone can set up 
a default address and receive everything sent to that domain - 
including your password reset hash.

If you're accepting a question/answer response as a multi-factor 
authentication step to reset the password, then why are you taking the 
extra step of sending that hash cleartext via email where it could land 
in someone's hands? If you trust the use who answered the questions 
properly enough to send them email, why not just give them the 
opportunity to reset the password right there?

Of course, if this was for a serious application, you could add to your 
list of questions, asking for the billing address on the account. Next, 
you could send one of the 2 needed password hashes through the postal 
mail to that location.

- Willie

Willie Northway                  University of Michigan Webmaster Team
http://willienorthway.com/       http://www.umich.edu/~umweb/

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list