[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Forgot password best practices

From: "Andy Steingruebl" <steingra@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Forgot password best practices
Date: Fri, 23 Feb 2007 08:53:19 -0800

On 2/23/07, Mike Klingler <whitehatguru@xxxxxxxxx> wrote:

So my first question is this, What is the best way to allow for a
reset password on a web application without revealing the existence of
the account?


The question I struggle with is how important is it to not leak
account information such as existence, etc.

If you have a reasonably large population and/or other information
leakage on a site, then its pretty easy to leak usernames regardless.

If you have sign-up flows that aren't protected with flow/rate
limiters and/or captcha, then people can discover valid accounts
simply by trying to create new ones.

In either case I just make the assumption that usernames are going to
leak.  People don't treat their username as a security item.

So, while we don't want to make it easy to leak names, it isn't
feasible to prevent it either.

So, now down to password recovery...

If you just respond "email sent" you will confuse those who don't have
an account with that email.  Do you send an email saying "No account
found?"  And if you do that should you limit the number of sent emails
to 25 per IP per day (2 per account) to prevent abuse of the emails
being sent?


I actually implemented a system just like this for a relatively
computer illiterate population.   It asked for your login and sent
email to email address on record for the account.  If the account
didn't exist, it didn't tell you, and if the account did exist but
didn't have mail it didn't tell you that either.

The mail that got sent had a link in it with a random key assigned to
that user for a 1-time password reset and the key expired in a
relatively short period of time.

A company could be configured to not allow self-password-reset
operations and in that case a user trying to recover, with an email on
file, would receive a note telling them to go through alternate
channels.

I'm not sure how well its working and I'm going to try and get some
statistics.  Would be nice if someone did a study of the efficiency
and security of password recovery mechanisms... perhaps it has been
done?

We didn't like the security questions approach and it took more effort
and database work to do it anyway.

Has anyone seen any papers comparing the savings gained from a
password recovery implementation vs. the security?

--
Andy Steingruebl
steingra@xxxxxxxxx

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] Forgot password best practices
  - From: Mike Klingler

Prev by Date: [WEB SECURITY] Remote Access Problem
Next by Date: RE: [WEB SECURITY] Remote Access Problem
Previous by thread: Re: [WEB SECURITY] Forgot password best practices
Next by thread: [WEB SECURITY] Firefox Cache Hack - Firefox History Hack redux
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site