[WEB SECURITY] Password Recovery

Irene Abezgauz irene.abezgauz at gmail.com
Mon Jun 20 18:36:49 EDT 2005

The issue is, as always, the balance between the users feeling
comfortable and the desired security level.
You could say the domain could get changed/hijacked, but that's not a
very likely scenario, you can't protect against everything. For the case
of the change/hijacking you have the secret question issue, where you
make sure with another layer of security that even if your link falls
into the wrong hands - it's not enough to just hijack that account.
You could of course say passwords are unrecoverable, and a new one will
be delivered to you over postal. Then again, the person could have moved
to a different apartment and somebody else will get his mail.
What I am trying to say is, nothing is 100% proof. You can go that extra
mile, the question is - will your users?
Unfortunately, they usually won't. That's why you need to find the
balance between comfort and security.
The way I see it, mailing a complex link and then requesting the secret
question/answer is a good two-layered measure that provides with
relatively safe password reset/recovery.
Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Email: irene at hacktics.com
Web: www.hacktics.com
-----Original Message-----
From: Willie Northway [mailto:willn at umich.edu] 
Sent: Monday, June 20, 2005 8:41 PM
To: ams67
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Password Recovery
On Jun 15, 2005, at 10:12 AM, ams67 wrote:
> 1. Send the user an e-mail to the address specified to the account. 
> This
> will alert the user that a request of changing password has been 
> initiated.
> The email contains also a secure web link (link) and a provisional 
> password
> (will expire, let's say, within 48h) that will allow the user to 
> access the
> secure web link (https).
This works well with free throw-away accounts, but isn't so secure with 
accounts that are tied to anything important. Unfortunately, you're 
assuming that the ownership of that domain you're mailing to hasn't 
changed since the email address was registered with your site.
If the domain gets picked up by someone else (because it expires, is 
sold, or is hijacked because it isn't locked), then someone can set up 
a default address and receive everything sent to that domain - 
including your password reset hash.
If you're accepting a question/answer response as a multi-factor 
authentication step to reset the password, then why are you taking the 
extra step of sending that hash cleartext via email where it could land 
in someone's hands? If you trust the use who answered the questions 
properly enough to send them email, why not just give them the 
opportunity to reset the password right there?
Of course, if this was for a serious application, you could add to your 
list of questions, asking for the billing address on the account. Next, 
you could send one of the 2 needed password hashes through the postal 
mail to that location.
- Willie
Willie Northway                  University of Michigan Webmaster Team
http://willienorthway.com/       http://www.umich.edu/~umweb/
The Web Security Mailing List
The Web Security Mailing List Archives
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20050621/0cf96063/attachment.html>

More information about the websecurity mailing list