tags:

views:

427

answers:

8
+13  Q: 

Why is "Forgotten Password" bad?

I came across this statement

Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.

Can someone clarify why forgotten passwords are a risk? I plan to handle it by sending the user a link in their email to reset the password, but will not provide them with the old password (since it's hashed anyway), and will not ask them for the old password when resetting. Is there something risky about my approach?

+2  A: 

Your approach sounds very safe to me :) Ofcourse it should be a one-time link!

Also the "succes" and "email address not found" message/page should be the same. And have an anonymous text.

Like:

"If your mail address is in our system we have send you an email"

In this way, someone will be unable to determine if the email address is in your system or not!

Phliplip  2010-06-21 08:52:22
Nothing is worse than having lost the login and not being informed by the system that the email address entered is the correct one. Please don't print the same text for success and failure, or users will hate you. Because, you know, users *do* use multiple email addresses and users *do* forget their passwords and logins, and don't even know which email address they used to sign up for which site. Don't forget: Your site may be the absolutely most important thing in the world *for you*, but for the user, it may be just something he uses now and then, and doesn't login often.
OregonGhost  2010-06-21 09:02:06
They could eventualy check their mailbox for the applied email, to see if its the right one!??
Phliplip  2010-06-21 09:03:32
@Phliplip: How long should they wait? One minute? Ten minutes? One hour for each email they tried? Or should they just enter all email addresses, and then still wait an hour? What if they made a typo? There's nothing wrong with helping users to get along. Trust me, users are getting furious if it takes a long time to get into the system, if all they want to do is just look up someting for a minute. They may as well create a new login in the meantime, which may not be the thing you wanted in the first place.
OregonGhost  2010-06-21 09:06:05
@OregonGhost: Point-taken! Removed bad advice!
Phliplip  2010-06-21 09:11:40
I'm sorry but I do not agree with OregonGhost. OWASP says to present the same message no matter if a user has a bad password, bad user name, etc, because hackers can pinpoint the information they are getting incorrect and focus their hacking efforts properly. If you present the same message, it is much harder for a hacker to try and guess what bit of information is bad. A user can deal with the same message for any login error if the trade-off is accessing a site that is PCI compliant.
TheGeekYouNeed  2010-06-21 09:22:46
@Cen: No, that's not what he was saying. He was saying to give the same error if the email was or was not found in the DB after a "forgot password request". This is not correct for the reasons @OregonGhost said.
nico  2010-06-21 09:45:11
This discussion is taking on, so i rolled back my post so others can follow what we're talking about.
Phliplip  2010-06-21 09:50:39
@Cen: nico is right. I accept (though don't like) that sites will present you with a generic "incorrect login" message when attempting to login. But the "forgot password" thing is different, since the user is already lost at this point and needs some help. Note that using a separate login name for the actual login, and *not* the email address, makes this actually more secure since a hacker can find out that a specific email address is used by the system, but the email address is not the login. But then, users tend to forget the login names anyway...
OregonGhost  2010-06-21 09:56:24
Why dont you send a mail to [email protected] which states that his address is not in the system when someone tries to get his password via "forgot password"? So alice gets fast feedback and eve wont get any information.
atamanroman  2010-06-21 11:12:23
@fielding: This implies that the email is instantly there, which is not always the case (I've seen systems where it takes several minutes, for whatever reason). It's also not as fast as seeing immediately that you entered the wrong address. This does also not help if there's a typo in the email address. And it provides an easy way for annyoing people to abuse your site to send a lot of emails *from your site* to a lot of people, in worst case resulting in email providers putting you on a spam list.
OregonGhost  2010-06-21 11:28:02
@oregon: of course you shouldnt be allowed to spam hundreds of mails. Every system can be abused if there is no mechanism against it. I just suggested a method which could be (if proper implemented) a tradeoff between security and useability. And its quite likely that someone exploits information which accounts exist in your system because this issue has been exploited more than a few times yet. But there are ALWAYS different opinions from useability and security points of view (writing down passwords that often change vs keeping easy ones in your head all the time, ...)
atamanroman  2010-06-21 12:44:05
+4  A: 

If Charlie can read Alices e-mail, he can also gain access to all sites offering "lost password" functionality.

Sjoerd  2010-06-21 08:52:26
If Charlie can read Alice's emails then the problem is definitely not in the "lost password" functionality as he can use Alice email to register to any site with a fake identity.
nico  2010-06-21 08:55:11
The quoted statement says that you can send info to the email the user provided in the past. Like a lot of systems do. The system is relying on your email security (it's a reasonable thing). If you compromised your email security... well... sorry very much.
helios  2010-06-21 08:56:38
@nico: That's a much smaller problem than Charlie getting access to all of Alice's existing user accounts. The problem very much *is* the "lost password" functionality; it's reasonable for environments with low security requirements, especially for free services where other approaches are too expensive. But it should be unacceptable for anything where real money is involved.
Michael Borgwardt  2010-06-21 09:01:19
@Michael Borgwardt: Where money is involved you have credit card numbers and security codes etc etc which is another level of security.A lost password functionality is necessary for a "normal" website where otherwise you would have lots of users generating new accounts just because they don't remember their password... and probably getting frustrated because the system tells them that their email address is already used.
nico  2010-06-21 09:06:48
This is a very valid security concern, but it is not what the questioner is asking. The referenced text does not discourage from the practice of email verification per-se, and resolving this in a secure way requires a much more complex authentication procedure than is in place in even moderately secure websites.
Joakim Lundborg  2010-06-21 09:07:09
If Charlie can read Alice's emails, Alice has a lot more to worry about than her password on your website.
musicfreak  2010-08-20 08:54:47
+2  A: 

Sending the user a link in an email is actually in compliance with the guidance given.

What it advices against is the practice of allowing users to reset their password without having to have any additional knowledge, i.e. something like a button that will reset the password without forcing the user to click the link in their email. I'm not sure I ever saw such a system, but it is certainly a bad idea =).

Joakim Lundborg  2010-06-21 08:52:56
+9  A: 

Your approach is absolutely right, as long as you don't store the password.

Asking the security question is absolutely bad instead, as it's prone to be bypassed just by guessing an answer.

Just a little edit: although it may be difficult to catch all of them, you should try to disallow the usage of mailinator email accounts (or email addresses from similar services) because mailinator + forgot password = disaster.

nico  2010-06-21 08:52:57
Whom to blame but the user in this case?
atamanroman  2010-06-21 10:24:16
@fielding: absolutely true, but -depending on the website- you cannot (and should not) expect a very high knowledge about Internet security from your public.
nico  2010-06-21 10:47:57
thats right, but in this particular case i would say its the admins job, not ours. everybody should know that its more than a oops-a-daisy if you forget your password and lose access to your email address (which was somehow fake).Make it idiot proof and someone will make a better idiot ;)
atamanroman  2010-06-21 11:07:40
agree on avoiding security questions... they are bad passwords (not forced to follow a good policy of including uppercase, lowercase, special characters, etc) that come with a "hint" to help the attacker guess the right answer :)
fms  2010-06-21 17:20:42
+2  A: 

As long as you send the link to the e-mail you have stored on the system then you should be OK - and it's what I'd expect from a system.

I'd also send a confirmation "you have updated your password" to the same address.

Additionally, if the user changes their e-mail address you could consider sending an e-mail to the old address stating that it's been changed to the new one. Slightly annoying perhaps, but it would provide an extra point at which someone could spot if their account has been compromised.

ChrisF  2010-06-21 09:54:25
+2  A: 

The most annoying technique would be the following: you click forgot password, are asked for you email and get your own password (which many user use for porn and their online banking ;)) back in plaintext instead of setting a new one.

I would just copy the big players methods, like paypal or google. I think they should now what they do. The most common case should be: forgot password - get a link to your email where you can set a new one or generate a random, secure one (which the user will change back to 1234 immediately).

As we are there already: never return something like "wrong password", as this implies that at least the username exists.

atamanroman  2010-06-21 10:30:46
+2  A: 

It's rather a sweeping statement and only a bad idea if you don't understand the risks involved and are sure that there is a net benefit (as with most things in life).

You should never store passwords in a recoverable form. Even allowing the customer to store a hint on your system puts the customer at risk. Passwords must always be stored using non-reversible mechanism - i.e. a hash. Given that is the case, you can't recover the customer's old password and send it to them.

Resetting the password on-demand to a random value, then emailing that value to the customer presents the opportunity to carry out denial of service attacks against individual logins (also the case when you disable an account after a number of failed login attempts).

That only leaves the option of generating an alternate login for the customer and emailing it to them - and flagging the account to force the customer to select a new password at next login.

All these approaches delegate the security of the customer account to the customers email system (and all the other email and network components between your server and the customer's inbox) which can, at best be very leaky - certainly its not anything you can provide any guarantees of security over unless you control all of the infrastructure.

C.

symcbean  2010-06-21 11:02:13
@symcbean, I suppose my solution (sending the user a link to reset their password) would fall into the realm of what you call `delegating the security of the customer account to the customers email system` which you feel is risky. So what alternative do you propose?
duder  2010-06-21 11:18:30
A: 

Another way I think is to use lost password software.

 2010-07-30 02:11:03

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases