[WEB SECURITY] Password Reset

Martin, Christopher chrismartin at corelogic.com
Wed May 26 15:01:40 EDT 2010


Nice, I am always open to open source. When I say in house I also include open source as a prominent alternative/part of the overall solution.

-----Original Message-----
From: Nick Owen [mailto:owen.nick at gmail.com] On Behalf Of Nick Owen
Sent: Wednesday, May 26, 2010 12:39 PM
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Password Reset

Instead of developing an in-house OTP solution, you could utilize and
contribute to our open-source two-factor auth solution:

http://www.wikidsystems.com/community-version

Which includes a nice api with packages for python, java, C#, ruby.

The PC tokens also include a mutual https authentication system that
relies on cryptography preventing network-based MiTM attacks, unlike
image-based solutions, which I find hard to believe actually defeat
anything.

We appreciate any contributions. The Hurricane Labs guys have written
their own WiKID token in python, eg.

Nick

On 05/26/2010 12:07 PM, Martin, Christopher wrote:
> OK folks, you have all made my day today....lol, passwords not required,
> DOB, rainbow, etc....omg  hehehe  even got me to go to instant message speak.
> 
>  
> 
> IMHO, SMS OTP is a really good system if it is acceptable from a cost
> perspective. In the past I have seen other alternatives to the something
> along the lines of "something you have portion" of multifactor
> authentication, which used a simple paper card with a matrix to choose
> from (think it was an entrust solution). OTP is truly a good way to go
> for any password scheme, but from the public consumption space cost
> effectiveness always seems to lose.
> 
>  
> 
> The sitekey that bank of America uses is excellent (I believe it is part
> of an RSA solution), good one Arian, in combination with the personal
> questions. Captcha is also a must have to at least reduce the spam
> instance (won't stop the serious efforts but can reduce the scripted ones).
> 
>  
> 
> Understanding that cost may be a consideration and not knowing the scope
> of sources (consumers, enterprise, partners) or sensitivity of the data,
> we don't know cost, but can at least start with the fact that sitekeys,
> captcha's, personal questions, idle timeouts, smart lockouts, etc., even
> SMS OTP can be developed in house, by strong developers for lower cost
> than commercial solutions if that does become an issue.
> 
>  
> 
> I guess bottom line, value of what you are trying to protect will guide
> your direction (or should).
> 
>  
> 
> Chris
> 
>  
> 
>  
> 
> *From:* Jim Manico [mailto:jim at manico.net]
> *Sent:* Tuesday, May 25, 2010 7:58 PM
> *To:* Arian J. Evans
> *Cc:* Webappsec Group
> *Subject:* Re: [WEB SECURITY] Password Reset
> 
>  
> 
> Arian,
> 
> I only back your proposed solution below if you add Mike Baileys "/Are
> you who you say you are?/" checkbox. Defense in depth, right?
> 
> - Jim
> 
> PS: That was very sarcastic.
> 
> Also Jim - I should have added earlier - but one of my financial
> 
> institutions uses pictures for account reset with their questions.
> 
>  
> 
> Personally I find them cute, and easy to remember. I always go for the
> 
> pictures of the motorcycles - they catch my eye and super easy for me
> 
> to remember which one I picked.
> 
>  
> 
> Maybe a modern solution like this would work for you too?
> 
>  
> 
> If you can't build it secure - might as well make it fun!
> 
>  
> 
> Looks like some folks have suggested using public-record data like
> 
> DOB. That stuff is always fun too!
> 
>  
> 
> --
> 
> Arian Evans
> 
>  
> 
>  
> 
> On Tue, May 25, 2010 at 5:09 PM,  <neza0x at gmail.com> <mailto:neza0x at gmail.com> wrote:
> 
>   
> 
>     Not to much to do with those restrictions. Hopefully, this is not a
> 
>     sensitive system, otherwise I will go for sms cell messages validation.
> 
>      
> 
>     1. Enforce account locked out for username too.
> 
>     2. Use captcha
> 
>     3. Security questions should be tied to PII info instead of simple questions
> 
>     like "color of your first car". You could ask for last for digits of your
> 
>     license, social or employee id. This works for home grown applications and
> 
>     requires other controls like encryption to safely storage of sensitive
> 
>     answers.
> 
>      
> 
>     All depends on the sensitivity of the system you are trying to protect.
> 
>      
> 
>     Hope this helps.
> 
>      
> 
>     Sent via BlackBerry from Danux Network
> 
>      
> 
>     ________________________________
> 
>     From: Jim Manico <jim at manico.net> <mailto:jim at manico.net>
> 
>     Date: Tue, 25 May 2010 15:07:38 -0700
> 
>     To: 'Webappsec Group'<websecurity at webappsec.org> <mailto:websecurity at webappsec.org>
> 
>     Subject: [WEB SECURITY] Password Reset
> 
>     Hey Folks,
> 
>      
> 
>     I have a hard requirement to build a password reset feature that does not
> 
>     include an emailed link or cell phone account verification. I'm thinking:
> 
>      
> 
>     1) Enter your username
> 
>     2) Answer a pre-set security question
> 
>       2a) Ensure the security question answer is at least as strong as the
> 
>     current password policy (ouch - this might radically limit usability)
> 
>     3) Enforce account lockout around security question failure
> 
>      
> 
>     I still don't like it - which is why I'm spamming you. :) Any thoughts?
> 
>      
> 
>     Aloha,
> 
>     Jim
> 
>      
> 
>      
> 
>      
> 
>         
> 
>  
> 
> ****************************************************************************************** 
> This message may contain confidential or proprietary information intended only for the use of the 
> addressee(s) named above or may contain information that is legally privileged. If you are 
> not the intended addressee, or the person responsible for delivering it to the intended addressee, 
> you are hereby notified that reading, disseminating, distributing or copying this message is strictly 
> prohibited. If you have received this message by mistake, please immediately notify us by  
> replying to the message and delete the original message and any copies immediately thereafter. 
> 
> Thank you. 
> ****************************************************************************************** 
> CLLD

-- 
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open-source Two-Factor Authentication
http://twitter.com/wikidsystems
#wikid on irc.freenode.net

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list