RE: "Forgot Password" function

[<Matthew_Chalmers () bankone com>]

Not having to call a helpdesk can save time and money. Plus users may need a password reset at 3am on a Sunday when the 
helpdesk isn't staffed.

Sending a password in email is risky, compounded by the fact that many people download their mail using unencrypted POP 
authentication. There are commercial solutions that send a password to the user's preregistered cell phone or pager, 
which is arguably more secure than email, and the phone/pager is like a token only the user should have. Another 
commercial solution records a voiceprint and a phone number during registration, so when the password is reset the 
system calls the number and matches the voice to the print then a sampled voice gives the password.

In any case the system shouldn't be able to retrieve the password, it should have to reset it to something random, and 
a time-out should be associated with it, so the account gets disabled if there's no successful login before the time is 
up. Also the user should be forced to change the password upon successful login.

A cheap and easy method is to have the user pick one or more security question/answer pairs during registration, which 
is mentioned in the OWASP Guide. But the user could pick silly things like "What color is the sky: blue" and anyone 
could reset the user's password, which is why I don't necessarily agree with the OWASP advice of not giving the user a 
list of questions to choose from.

This, however, may be no better than certain personally-identifiable bits of info like SSN--it's extra data that must 
be stored and once someone knows it he/she can reset the user's password anytime. (The main advantage of random q/a 
over PII is that nothing personal is at stake if the database is hacked and the q/a can be changed if needed.)

In any case it depends on who the user is, like internal or external. If it's a system for employees then you can 
probably justify storing PII for self-service password reset. If it's a public webmail service then it depends on how 
much you value your customers and their privacy...simply letting anyone who knows a username have a reset password sent 
to an alternate, stored email may be fine.

--
Matthew Chalmers
Information Security
BANK ONE CORPORATION
matthew_chalmers () bankone com


-----Original Message-----
From: Kevin Spett [mailto:kspett () spidynamics com]
Sent: Friday, October 18, 2002 2:25 PM
To: Brecrost Jones; webappsec () securityfocus com
Subject: Re: "Forgot Password" function


The problem with email is obviously that you put a password in plaintext,
which is no good.  If possible, consider going low tech.  Have them pick up
a phone to call someone and verify personal information to reset the
password.



Kevin Spett
SPI Labs
http://www.spidynamics.com/

----- Original Message -----
From: "Brecrost Jones" <brecrost () hotmail com>
To: <webappsec () securityfocus com>
Sent: Friday, October 18, 2002 1:31 PM
Subject: "Forgot Password" function


> I'm looking for opinions on the most secure way to implement a "Forgot my
> password" function for a website.  I know that having this feature is
> probably an inherent security risk, but __assuming that it is a required
> feature__ what would be the most secure way to implement it?
>
> Is the "enter your email address and we'll mail you the password" the best
> way to go?  As far as I can tell, it's the most common.  But I'm not sure
if
> I'm comfortable sending the password in a clear text email message.
>
> I don't really like the "secret question" method either, since if someone
> can get the question, they may be able to guess the answer.
>
> Are there other methods out there?  Has anyone come up with a novel
solution
> that is more secure?
>
> Thanks for any input.
>
>
> _________________________________________________________________
> Get faster connections -- switch to MSN Internet Access!
> http://resourcecenter.msn.com/access/plans/default.asp



**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, 
distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If 
you received this transmission in error, please immediately contact the sender and destroy the material in its 
entirety, whether in electronic or hard copy format. Thank you
**********************************************************************