Secure way to do password retrieval/resetting?

views:

144

answers:

+4 Q:

Secure way to do password retrieval/resetting?

Before I begin, my reason for not using OAuth is I believe it is not really something we should be using on this project, we're targeting a platform that will be packaged and resold to companies, which connect to their own set of uses that we really don't want to have accounts that we are not %100 in control of, we don't want it to be a shared-login with other services, and we don't want to force people into getting a google/yahoo/openID/aol/facebook/blogger/wodpress/whatever account.

Now then, What I would like is the best way to let users re-set a password.

I hate the concept of secret-questions: What school did you goto? Well, lets check your facebook page. What was your first-grade teacher? Lets just ask them casually.

I hate using one-time-passwords via email: Since when is email secure? Your boss reads it. Your sending out spam emails to me every day. It went into your junk-bin. It's not sent encrypted.

I don't want to use a password to reset a password either. This just doesn't make sense.

I'm really out of ideas here for the best way to do this, so I figure I would ask the community.

+4 A:

Barring being able to vet the person in person, I think you've listed all the reasonable options I've seen. In my opinion the one-time-password via email is the superior option as people tend to at least want to keep their email private. I personally hate secret questions - too big of a chance of the answers being public (see Sarah Palin email incident). If you are going to do secret questions, at least let the user choose their own questions.

Von 2010-08-20 15:11:49

Here's my other problem with secret questions. I always input something else (like my fist against the keyboard a few times) because I don't like the idea of a simple back door into my account

2010-08-20 15:14:15

I always generate purely random answers for secret questions (the same way I generate pass phrases actually).

Von 2010-08-20 15:18:58

The point of secret questions seems to be missed by the people implementing them. The questions need to be more personal and are not public knowledge. E.g. Who was your first crush? What is your shoe size? What was your first car?

It Grunt 2010-08-20 15:21:06

I have a big problem with questions that can so easily be socially engineered from me, I really don't want to act like a psycotic shut-in afraid to tell people my first girlfriend's name was Michelle because they could use that knowledge to break into my accounts.

2010-08-20 15:24:19

@It Grunt: If you give the answer to one site, it's not a secret anymore. Benjamin Franklin said "the only way three people can keep a secret is if two of them are dead". These questions are a flawed idea.

Borealid 2010-08-20 15:25:52

@Borealid: I heard it another way. **Secret**: Something you tell only one person at a time.

kbrimington 2010-08-24 15:42:52

+7 A:

Your problem is that you need to outsource trust. If the user forgets their password, you no longer have a direct way to trust them, so you have to use an outside source to reestablish your relationship.

If you think email is insecure (which it is, actually), you could try telephone. Give them a call with the temporary password. Or a fax. Or snail mail, or an SMS, etc.

This is as secure as the phone lines/postal carriers over which the reset travels, and in most areas, telephone intercepts or tampering with the mail is strictly punished by the law.

If that's no good, consider issuing users an OTP token, or smartcard, or something.

Borealid 2010-08-20 15:11:52

By telephone is also a reasonable method - you need to collect the phone number from them when you first register the user or have a trusted way to look it up when you need it.

Von 2010-08-20 15:18:07

It may be worthwhile to note that the organization I'm first to deploy at maintains about 7000 user accounts, which is probably a slightly higher than median average for other organizations.

2010-08-20 15:21:12

@user257493: If they have that many users, they have support staff. If the users are within the company, a face-to-face ID check might be a viable option.

Borealid 2010-08-20 15:23:55

The company will have between 5 and 20 people, all of which are doing the lines of business already without time to play help desk please reset my password. Nor are they trained to deal with a Mallory calling pretending she's Alice.

2010-08-20 15:28:12

+1 A:

Make users select a secret image (or images). Or make user upload their own image.

This works better than secret questions. Secret questions have two common problems:

user gives an answer that can be easily obtained by others.
user knows about first problem and instead of a real answer gives a random answer, later on forgetting themselves what it was.

By making user to select secret image(s) or better yet upload their own images. It'll be easier for user to recall it later when recovering the password, since it's easier to make visual associations.

When recovering the password present user with several choices to pick the right image.

Sergey G 2010-08-27 16:00:17

That's a massive inconvenience and prone to some of the same problems as secret questions.

2010-08-28 15:41:15

+1 A:

So you actually want the user to prove that he is who he claims he is, without revealing information about himself (assuming you can get ANY information with social hacking)

There are 3 ways for authentication: Something you are (biometrics), Something you have (dongle for example) and Something you know (password,response...). 2 or 3-way authentication is much more secure than 1-way.

Password reset/recovery, by definition reduces the security of the authentication procedure, because its now not A, but (A or B). (A= password, B=recover-password)

Therefore, even if your authentication procedure is 1-way (password), your recovery processes should be a 2-way authentication.

Let's see what are your options for the password recovery process:

Something you are (SysAdmin that recognize you - usually not good for 5000 workers organization, Voice-print - too expensive to implement, ...)
Something you have (e-mail account, phone number, ...)
Something you know (personal details)

Notice that corporate-ID tag with picture is a 2-way authentication (both something you are and something you have).

I think the best procedure is for the employee to physically go to the IT department, show his picture ID, and ask for a password reset.

If this is infeasible (too far - a remote branch for example), try to use a deligator who is recognized and can be trusted over the phone, so the employee will have to show the ID-tag to a local deligator.

If you can't use the 'Something you are' - you're left with something you have (e-mail, phone-number,your own PC) and something you know (personal details...). You can't escape it.

Lior Kogan 2010-08-29 07:58:06

There is no social hacking, the users are giving me information about where they live, travel documents, and other things just to use the system.

2010-08-29 16:04:50

"What was your first-grade teacher? Lets just ask them casually" - This is social hacking.

Lior Kogan 2010-08-30 07:50:29

Ah I mis-understood. I thought you meant how facebook draws connections between products you might like based on other things, or runs face-recognition software. I do have access to a lot of sensitive data that ID thieves would love, but I'm unsure if I want to use that as verification/secrets.

2010-08-30 14:39:14

+1 A:

I think this requires a difficult implementation but sending new password to user's mobile phone as a text message may be an alternative solution. Mobile phones are much more secure than personal inbox.

Then, users are asked to enter their mobile phone numbers. Users that doesn't want that functionality are provided new passwords by email.

Zafer 2010-08-30 13:43:59

ansaurus

tags:

views:

answers:

Secure way to do password retrieval/resetting?

related questions