WebApp Sec mailing list archives
Re: "Forgot Password" function
From: "Kevin Spett" <kspett () spidynamics com>
Date: Fri, 18 Oct 2002 16:40:39 -0400
I'd like to remind everyone that unencrypted email offers no authentication or privacy. There is no protection against MITM attacks. Consider the following scenario: An, evil, mean, no-good hacker breaks into a mailserver. In an atrocious display of lack of respect for personal privacy, said hacker proceeds to peruse the mailserver's users' e-mail. This hacker sees a newsletter, account registration confirmation, order reciept, etc. from an online retailer, service, etc. The hacker uses the information in the email, which may or may not contain actual username, to go to the site and uses the handy dandy "I forgot my password, please email it to me" application.. The server complies with this request and emails the account holder a new password, or a link to where the new password can be obtained, or a clever riddle whose answer is the new password, or whatever. Choose your method of delivery. The hacker, from his bedroom in a suburban California neighborhood, reads the password, vists the link, solves the riddle, etc. Since he or she (I'd like to give a shout out to all the lady hackers out there, keeping it real no doubt) has control of the mailserver, the hacker then makes sure that the email never reaches the actual account holder. The hacker abuses the account in each and every last way possible, leaving no options for exploitation unexplored. The actual account holder recieves a Mastercard statement for thousands of dollars in goods he or she did not purchase and a visit from the Department of Homeland Security who demand to know why that person attempted to purchase maps of burglarly tools, weapons and controlled substances. What else do you do with stolen credit card numbers? Does this sound amazingly theoretical to anyone? It's not. This kind of thing happens each and every day in deep, dark dungeons of cyberspace. The only good solution is complete re-authentication of the account holder. The local cable company in my area does this. If you lose your password to the bill paying application, you must enter all of your personal information (DOB, CC#, exp. date, address, etc.) again to get a new password. If you've got a problem with that, you have to call their "customer service professionals" and explain your case. Kevin Spett SPI Labs http://www.spidynamics.com/ ----- Original Message ----- From: "Brecrost Jones" <brecrost () hotmail com> To: <webappsec () securityfocus com> Sent: Friday, October 18, 2002 1:31 PM Subject: "Forgot Password" function
I'm looking for opinions on the most secure way to implement a "Forgot my password" function for a website. I know that having this feature is probably an inherent security risk, but __assuming that it is a required feature__ what would be the most secure way to implement it? Is the "enter your email address and we'll mail you the password" the best way to go? As far as I can tell, it's the most common. But I'm not sure
if
I'm comfortable sending the password in a clear text email message. I don't really like the "secret question" method either, since if someone can get the question, they may be able to guess the answer. Are there other methods out there? Has anyone come up with a novel
solution
that is more secure? Thanks for any input. _________________________________________________________________ Get faster connections -- switch to MSN Internet Access! http://resourcecenter.msn.com/access/plans/default.asp
Current thread:
- "Forgot Password" function Brecrost Jones (Oct 18)
- Re: "Forgot Password" function David Bullock (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Haroon Meer (Oct 18)
- Re: "Forgot Password" function Jeroen Latour (Oct 18)
- Re: "Forgot Password" function Chris Shepherd (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- <Possible follow-ups>
- Re: "Forgot Password" function Mark Curphey (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Brecrost Jones (Oct 18)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Sverre H. Huseby (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- RE: "Forgot Password" function wsmith (Oct 18)
- RE: "Forgot Password" function Matthew_Chalmers (Oct 19)
- RE: "Forgot Password" function William Bartholomew (Oct 20)
- Re: "Forgot Password" function Kevin Spett (Oct 20)