Home page logo

webappsec logo WebApp Sec mailing list archives

Re: "Forgot Password" function
From: "Kevin Spett" <kspett () spidynamics com>
Date: Fri, 18 Oct 2002 16:40:39 -0400

I'd like to remind everyone that unencrypted email offers no authentication
or privacy.  There is no protection against MITM attacks.  Consider the
following scenario:

An, evil, mean, no-good hacker breaks into a mailserver.
In an atrocious display of lack of respect for personal privacy, said hacker
proceeds to peruse the mailserver's users' e-mail.
This hacker sees a newsletter, account registration confirmation, order
reciept, etc. from an online retailer, service, etc.
The hacker uses the information in the email, which may or may not contain
actual username, to go to the site and uses the handy dandy "I forgot my
password, please email it to me" application..
The server complies with this request and emails the account holder a new
password, or a link to where the new password can be obtained, or a clever
riddle whose answer is the new password, or whatever.  Choose your method of
The hacker, from his bedroom in a suburban California neighborhood, reads
the password, vists the link, solves the riddle, etc.  Since he or she (I'd
like to give a shout out to all the lady hackers out there, keeping it real
no doubt) has control of the mailserver, the hacker then makes sure that the
email never reaches the actual account holder.
The hacker abuses the account in each and every last way possible, leaving
no options for exploitation unexplored.
The actual account holder recieves a Mastercard statement for thousands of
dollars in goods he or she did not purchase and a visit from the Department
of Homeland Security who demand to know why that person attempted to
purchase maps of burglarly tools, weapons and controlled substances.  What
else do you do with stolen credit card numbers?

Does this sound amazingly theoretical to anyone? It's not.  This kind of
thing happens each and every day in deep, dark dungeons of cyberspace.  The
only good solution is complete re-authentication of the account holder.  The
local cable company in my area does this.  If you lose your password to the
bill paying application, you must enter all of your personal information
(DOB, CC#, exp. date, address, etc.) again to get a new password.  If you've
got a problem with that, you have to call their "customer service
professionals" and explain your case.

Kevin Spett
SPI Labs

----- Original Message -----
From: "Brecrost Jones" <brecrost () hotmail com>
To: <webappsec () securityfocus com>
Sent: Friday, October 18, 2002 1:31 PM
Subject: "Forgot Password" function

I'm looking for opinions on the most secure way to implement a "Forgot my
password" function for a website.  I know that having this feature is
probably an inherent security risk, but __assuming that it is a required
feature__ what would be the most secure way to implement it?

Is the "enter your email address and we'll mail you the password" the best
way to go?  As far as I can tell, it's the most common.  But I'm not sure
I'm comfortable sending the password in a clear text email message.

I don't really like the "secret question" method either, since if someone
can get the question, they may be able to guess the answer.

Are there other methods out there?  Has anyone come up with a novel
that is more secure?

Thanks for any input.

Get faster connections -- switch to MSN Internet Access!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]