Home page logo

webappsec logo WebApp Sec mailing list archives

Re: "Forgot Password" function
From: "Brecrost Jones" <brecrost () hotmail com>
Date: Fri, 18 Oct 2002 15:44:55 -0600

Kevin Spett wrote:
I'd like to remind everyone that unencrypted email offers no authentication
or privacy.  There is no protection against MITM attacks.  Consider the
following scenario:

An, evil, mean, no-good hacker breaks into a mailserver.
In an atrocious display of lack of respect for personal privacy, said hacker
proceeds to peruse the mailserver's users' e-mail.
This hacker sees a newsletter, account registration confirmation, order
reciept, etc. from an online retailer, service, etc.
The hacker uses the information in the email, which may or may not contain
actual username, to go to the site and uses the handy dandy "I forgot my
password, please email it to me" application..
The server complies with this request and emails the account holder a new
password, or a link to where the new password can be obtained, or a clever
riddle whose answer is the new password, or whatever. Choose your method of
The hacker, from his bedroom in a suburban California neighborhood, reads
the password, vists the link, solves the riddle, etc.  Since he or she (I'd
like to give a shout out to all the lady hackers out there, keeping it real
no doubt) has control of the mailserver, the hacker then makes sure that the
email never reaches the actual account holder.
The hacker abuses the account in each and every last way possible, leaving
no options for exploitation unexplored.
The actual account holder recieves a Mastercard statement for thousands of
dollars in goods he or she did not purchase and a visit from the Department
of Homeland Security who demand to know why that person attempted to
purchase maps of burglarly tools, weapons and controlled substances.  What
else do you do with stolen credit card numbers?

Does this sound amazingly theoretical to anyone? It's not.  This kind of
thing happens each and every day in deep, dark dungeons of cyberspace.  The
only good solution is complete re-authentication of the account holder. The
local cable company in my area does this.  If you lose your password to the
bill paying application, you must enter all of your personal information
(DOB, CC#, exp. date, address, etc.) again to get a new password. If you've
got a problem with that, you have to call their "customer service
professionals" and explain your case.

First off, thanks to everyone for their responses!

The above outlines perfectly the issue I am worried about, and that is the inherent insecurity of any email-based solution. Unfortunately, I did not express this very well in my original post. I originally stated that I was concerned about sending the password in plain text, which was a mistake for two reasons: One, I didn't even consider that I don't have access to the plaintext password (I am storing it in the database as an SHA-1 digest), and Two, my actual concern is that the email itself is plain text, so no matter what the contents of the email (plaintext password, link to secure page allowing password change, etc.), if someone intercepts that email, they can gain access to the account (right?).

So I guess what I was looking for is something that does not use email at all, and something that doesn't rely on a "secret question". So maybe the solution is as mentioned above: several "secret questions" (i.e. essentially re-entering all or most of the account information), or the low-tech "give us a call" method. I'm afraid that both of those solutions may be considered too inconvenient for the user by my project managers, but I suppose that is all too often the issue with security-related questions, the tradeoff between convenience and security.

Thanks again for all suggestions.

Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]