[WEB SECURITY] Password Reset

Nick Owen nowen at wikidsystems.com
Wed May 26 16:35:37 EDT 2010


This thread is of interest because our API includes a method to validate
a user. Enterprises can do this via AD credentials or whatever they see
fit, but for a consumer-facing website, it is trickier.  Figuring that
out would go a long way to making two-factor a lot more attractive for
those types of sites.

On 05/26/2010 03:01 PM, Martin, Christopher wrote:
> Nice, I am always open to open source. When I say in house I also
> include open source as a prominent alternative/part of the overall
> solution.
> 
> -----Original Message----- From: Nick Owen
> [mailto:owen.nick at gmail.com] On Behalf Of Nick Owen Sent: Wednesday,
> May 26, 2010 12:39 PM To: websecurity at webappsec.org Subject: Re: [WEB
> SECURITY] Password Reset
> 
> Instead of developing an in-house OTP solution, you could utilize
> and contribute to our open-source two-factor auth solution:
> 
> http://www.wikidsystems.com/community-version
> 
> Which includes a nice api with packages for python, java, C#, ruby.
> 
> The PC tokens also include a mutual https authentication system that 
> relies on cryptography preventing network-based MiTM attacks, unlike 
> image-based solutions, which I find hard to believe actually defeat 
> anything.
> 
> We appreciate any contributions. The Hurricane Labs guys have
> written their own WiKID token in python, eg.
> 
> Nick
> 
> On 05/26/2010 12:07 PM, Martin, Christopher wrote:
>> OK folks, you have all made my day today....lol, passwords not
>> required, DOB, rainbow, etc....omg  hehehe  even got me to go to
>> instant message speak.
>> 
>> 
>> 
>> IMHO, SMS OTP is a really good system if it is acceptable from a
>> cost perspective. In the past I have seen other alternatives to the
>> something along the lines of "something you have portion" of
>> multifactor authentication, which used a simple paper card with a
>> matrix to choose from (think it was an entrust solution). OTP is
>> truly a good way to go for any password scheme, but from the public
>> consumption space cost effectiveness always seems to lose.
>> 
>> 
>> 
>> The sitekey that bank of America uses is excellent (I believe it is
>> part of an RSA solution), good one Arian, in combination with the
>> personal questions. Captcha is also a must have to at least reduce
>> the spam instance (won't stop the serious efforts but can reduce
>> the scripted ones).
>> 
>> 
>> 
>> Understanding that cost may be a consideration and not knowing the
>> scope of sources (consumers, enterprise, partners) or sensitivity
>> of the data, we don't know cost, but can at least start with the
>> fact that sitekeys, captcha's, personal questions, idle timeouts,
>> smart lockouts, etc., even SMS OTP can be developed in house, by
>> strong developers for lower cost than commercial solutions if that
>> does become an issue.
>> 
>> 
>> 
>> I guess bottom line, value of what you are trying to protect will
>> guide your direction (or should).
>> 
>> 
>> 
>> Chris
>> 
>> 
>> 
>> 
>> 
>> *From:* Jim Manico [mailto:jim at manico.net] *Sent:* Tuesday, May 25,
>> 2010 7:58 PM *To:* Arian J. Evans *Cc:* Webappsec Group *Subject:*
>> Re: [WEB SECURITY] Password Reset
>> 
>> 
>> 
>> Arian,
>> 
>> I only back your proposed solution below if you add Mike Baileys
>> "/Are you who you say you are?/" checkbox. Defense in depth,
>> right?
>> 
>> - Jim
>> 
>> PS: That was very sarcastic.
>> 
>> Also Jim - I should have added earlier - but one of my financial
>> 
>> institutions uses pictures for account reset with their questions.
>> 
>> 
>> 
>> Personally I find them cute, and easy to remember. I always go for
>> the
>> 
>> pictures of the motorcycles - they catch my eye and super easy for
>> me
>> 
>> to remember which one I picked.
>> 
>> 
>> 
>> Maybe a modern solution like this would work for you too?
>> 
>> 
>> 
>> If you can't build it secure - might as well make it fun!
>> 
>> 
>> 
>> Looks like some folks have suggested using public-record data like
>> 
>> DOB. That stuff is always fun too!
>> 
>> 
>> 
>> --
>> 
>> Arian Evans
>> 
>> 
>> 
>> 
>> 
>> On Tue, May 25, 2010 at 5:09 PM,  <neza0x at gmail.com>
>> <mailto:neza0x at gmail.com> wrote:
>> 
>> 
>> 
>> Not to much to do with those restrictions. Hopefully, this is not
>> a
>> 
>> sensitive system, otherwise I will go for sms cell messages
>> validation.
>> 
>> 
>> 
>> 1. Enforce account locked out for username too.
>> 
>> 2. Use captcha
>> 
>> 3. Security questions should be tied to PII info instead of simple
>> questions
>> 
>> like "color of your first car". You could ask for last for digits
>> of your
>> 
>> license, social or employee id. This works for home grown
>> applications and
>> 
>> requires other controls like encryption to safely storage of
>> sensitive
>> 
>> answers.
>> 
>> 
>> 
>> All depends on the sensitivity of the system you are trying to
>> protect.
>> 
>> 
>> 
>> Hope this helps.
>> 
>> 
>> 
>> Sent via BlackBerry from Danux Network
>> 
>> 
>> 
>> ________________________________
>> 
>> From: Jim Manico <jim at manico.net> <mailto:jim at manico.net>
>> 
>> Date: Tue, 25 May 2010 15:07:38 -0700
>> 
>> To: 'Webappsec Group'<websecurity at webappsec.org>
>> <mailto:websecurity at webappsec.org>
>> 
>> Subject: [WEB SECURITY] Password Reset
>> 
>> Hey Folks,
>> 
>> 
>> 
>> I have a hard requirement to build a password reset feature that
>> does not
>> 
>> include an emailed link or cell phone account verification. I'm
>> thinking:
>> 
>> 
>> 
>> 1) Enter your username
>> 
>> 2) Answer a pre-set security question
>> 
>> 2a) Ensure the security question answer is at least as strong as
>> the
>> 
>> current password policy (ouch - this might radically limit
>> usability)
>> 
>> 3) Enforce account lockout around security question failure
>> 
>> 
>> 
>> I still don't like it - which is why I'm spamming you. :) Any
>> thoughts?
>> 
>> 
>> 
>> Aloha,
>> 
>> Jim
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> ******************************************************************************************
>>  This message may contain confidential or proprietary information
>> intended only for the use of the addressee(s) named above or may
>> contain information that is legally privileged. If you are not the
>> intended addressee, or the person responsible for delivering it to
>> the intended addressee, you are hereby notified that reading,
>> disseminating, distributing or copying this message is strictly 
>> prohibited. If you have received this message by mistake, please
>> immediately notify us by replying to the message and delete the
>> original message and any copies immediately thereafter.
>> 
>> Thank you. 
>> ******************************************************************************************
>>  CLLD
> 

-- 
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open-source Two-Factor Authentication
http://twitter.com/wikidsystems
#wikid on irc.freenode.net

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list