[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] quick question on password reset 'best practices'

From: Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] quick question on password reset 'best practices'
Date: Tue, 3 Jun 2008 09:40:47 -0700

Our first reaction is to always limit the amount of information we disclose to the bad guys, including valid usernames/emails. However, we're not seeing the value of the generic error messages in the login/ password reset flows as we might in web-based systems. For context I'm talking about timing attacks as described by the guys at Sensepost, a highly recommended read:

It's all about timing...
http://www.sensepost.com/blog/1303.html

I've seen similar attacks executed and vulns identified as they've described both before and after their papers release on a number of websites. For the most part an attacker can tell which usernames are valid on the website whether or not you get a generic error message by the speed of the response.

IMHO, the larger the userbase and more predictable the usernames, the less valuable generic message are. Big systems make bigger targets of username/email address harvesting. So on smaller systems, generic messages are advisable. On bigger ones, the value is likely diminished and would cost more in customer support if/when implemented.

Regards,

Jeremiah-


On Jun 2, 2008, at 10:37 AM, Joe White wrote:

User requests password reset but enters wrong email address as the username:

1)  Username = user email address
2)  user forgets password
3)  user goes to password reset page in the web app
4)  user enters email address as username and requests that his/her
password be reset
5)  user then gets a message similar to the following:

"If the username is valid, you should receive an email with your
password shortly."

however, what if user enters wrong email address?  is it prudent to
display something similar to the following message in this case?

"This is not a valid username."

The recon and intelligence gathering implications of the latter
situation are potentially *huge* but how do you best handle when the
user enters incorrect username?

any thoughts?

thanks,
joe

<<<>>>

---------------------------------------------------------------------- ------ Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- RE: [WEB SECURITY] quick question on password reset 'best practices'
  - From: White, Dain P
- Re: [WEB SECURITY] quick question on password reset 'best practices'
  - From: Rafal @ IsHackingYou.com

References:
- [WEB SECURITY] quick question on password reset 'best practices'
  - From: Joe White

Prev by Date: Re: [WEB SECURITY] quick question on password reset 'best practices'
Next by Date: Re: [WEB SECURITY] quick question on password reset 'best practices'
Previous by thread: Re: [WEB SECURITY] quick question on password reset 'best practices'
Next by thread: RE: [WEB SECURITY] quick question on password reset 'best practices'
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site