tags:

views:

606

answers:

4
+3  Q: 

Secure password reset without sending an e-mail

How do I go about implementing a secure password reset function without sending the user an e-mail? There is another secure bit of information that I store and only the user should know, but it seems insecure to just let the user update a password just because they know a 9 digit number.

Note that user data is stored in a simple SQL table due to limitations on real database users on the server I'm working on.

Any input would be appreciated.

Update:
After making an attempt at OpenID and remembering that this server doesn't allow PHP (and thus, cURL) to make any external requests, I tried sending mail with PHP again. Apparently all of my previous terrible experiences with mail() on this server have gone away.

Thanks for all of your input, I may look into OpenID again in the future.

A: 

Without sending an email you are limiting yourself significantly. One of the benefits of sending a password reset code, or new password to someone's email address is you can rely on the assumption that they are the only person with access to their email account.

That said, you could use a "Secret Question" scheme to allow someone to reset their password. When this person creates their account you need to capture their secret question and the answer. You would then prompt the user with this question, and only permit resets if they answer correctly.

I must warn you that this is not a very good method of securing their password from unauthorized access. For a good article read: http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html

hobodave  2009-07-22 02:56:03
The "secret question" is the most vulnerable attack vector in a system. Best not to use it.
Rex M  2009-07-22 02:57:14
Yea, I'm aware of how its more secure, I'm just trying to avoid it if at all possible.
Shadow  2009-07-22 02:57:21
I would say that it's less that you *can* rely on single-user email, and more that everyone does. Just b/c everyone does it, doesn't make it good.
rampion  2009-07-22 02:57:54
@Rex M - see my response to your comment above. Given my caveat I provided as well as the article on the disadvantages of this method, your comment adds nothing to the discussion. You provide no alternative solution either.
hobodave  2009-07-22 03:08:58
+1  A: 

Typically, identifying a user as being real on the internet requires an "opt in" model where the user "opts" to have their password reset, and an email is sent confirming that they either want it reset, or that is has been reset and what the new reset password is.

Really, the only reasonably safe alternatives are ones that use a similar method. Send an email, sms text message they must reply to, automated phone call where they have to punch in digits, etc.

The only method I can think of that doesn't use this system would be a security question. Banks often use these for additional verification when users log in or fail to log in correctly a number of times. They are sometimes also used as a "secret" code for retrieving a password, but even then, it is typically emailed to the user, not displayed on the page.

Soviut  2009-07-22 02:56:27
The first two paragraphs of your answer are spot-on but the last is awful. "Security Questions" are *unacceptably* insecure. They are the most vulnerable attack vector in a system - do not use them!
Rex M  2009-07-22 02:58:20
I would hardly consider his paragraph awful. Only the OP can determine what is "acceptably" secure for his application's needs. Given his reluctance/inability to send an email, this is a suitable alternative.
hobodave  2009-07-22 03:06:48
I agree that security questions are not very secure which is why I said they're usually only used for additional verification. It is a last resort sort of thing, the only method I could think of that didn't use email.
Soviut  2009-07-22 14:17:27
+3  A: 

Punt on the password issue. Switch to OpenID. You don't have to worry about password reset, and the user only needs a new password if they want one.

it's a win-win.

rampion  2009-07-22 02:56:38
It not an open registration. It's only for specific people.
Shadow  2009-07-22 02:59:56
How are you verifying that it's only these people creating accounts? You can do that verification AND use OpenID. E.g. - The superuser beta uses OpenID, but only those with a password can use it.
rampion  2009-07-22 03:01:40
OpenID doesn't mean that registration is open, just which protocol is used for identification.
rampion  2009-07-22 03:02:16
@hobodave - I'd say rethinking your requirements is applicable to the question.
rampion  2009-07-22 03:05:12
Hmm...is there a good way to let the user opt to use the "legacy" authentication system, if you will, or let them use OpenID? or should I start another question?
Shadow  2009-07-22 03:05:14
Another question might help you with specifics, but you could create an "add an OpenID to this account" feature (similar to how StackOverflow does it) for existing members.
rampion  2009-07-22 03:07:59
@rampion: good point - unvoted down. :)
hobodave  2009-07-22 03:10:17
Marked as answer due to the fact that it made me try mail() again, also made me think about trying harder for OpenID in the future.
Shadow  2009-07-23 17:54:30
A: 

You have no way of knowing who is trying reset "Joe's" password. It could be Joe, or could be someone posing as Joe.

An alternative to sending an email is to either call one of Joe's phones with a one-time reset key or send an SMS message.

Calling Joe's phone with an audio message is easy with http://www.twilio.com/ But anyone might be able to pick up Joe's office phone. So usually you'd want an additional challenge before calling. Eg a secret question/answer. By using the phone and the secret q&a, you've made things tougher for the bad guys but still doable by Joe.

Another idea is to send the reset message to someone that Joe trusts and who knows Joe. (Send either by email or by telephone / sms.) A variant of this is to send to an employee who knows Joe, eg his assigned salesrep, HR rep, etc.

Use the post: Send a snail mail letter with the reset code in it. Would take a couple of days to get there, but theft of mail is a federal rap. See http://www.postalmethods.com/ If there are very bad possible negative outcomes, this can be a good solution.

For any of the above, Joe would enter the information when he sets up the account.

Another pattern is to require Joe to call into a help desk and let a human interrogate him.

Bottom line is that no technique is perfect. See the twitter breakin story: http://www.technewsworld.com/story/67612.html?wlc=1247790901&wlc=1248238327

Last thought: don't forget about anti-phishing. Often done by enabling Joe to choose a picture that the site will show him when doing something important. The idea is that a phishing site won't be able to replicate the UI, thus raising Joe's suspicions that he may not have arrived at the right site.

Larry K  2009-07-22 05:04:26

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases