tags:

views:

215

answers:

8
+12  Q: 

What security measures should be taken when creating "change your password" functionality?

I'm adding a "change password" functionality to my webgame http://ninjawars.net , which currently has fixed (and essentially never changing) passwords.

I want to avoid making a mess of it, so I'd like to make sure that I have the basic security bases covered.

Taking what I can pull from facebook's way of doing things, a few points that key points to remember are:

  • Require old password (of course).
  • Confirm new password input twice.
  • log off the account (only on all other pages, somehow)?
  • Require a secure password length & that the password fits all the [insert various criteria here] required for passwords on each specific system.
  • Require new password to differ from old password.
  • Prevent multiple password change attempts.

Facebook also:
- Requires new password to be different from past passwords. (seems like an edge case use)

Those are only the policies that I can glean from the outside UI of facebook's account system. What other security points should I cover when providing a "change password" system?

Edit: In my specific case I intend to be relatively permissive with the [insert various criteria] for what characters will have to go into the password itself. My site isn't a bank, if a player wants to use the password "password1", then they should expect their account to be taken over by their friends. MY FOCUS on the other hand, is on making sure that my site prevents any opportunities for "hostile takeover" via any kind of insecurity in the password changing system itself.

More good points from the answers below:

  • Send notice of password changes to user's email.
  • Keep change of email and change of password each dependent on each-other.
  • Use a secure encrypted (https) connection for such changes.
+1  A: 

I think you should also check if the password isn't the same as the login. Some users do that, believe me.

rhino  2010-09-19 21:21:17
Well, that would fall under the realm of making sure that the players -password- itself is a good password, which is an endless topic that I've seen addressed a lot of times on this site. Haven't been able to find advice on how to secure the "change your password" system itself, though.
Tchalvak  2010-09-19 21:35:48
+1  A: 

It really depends on what kind of information is being protected by the password. For example, the password requirement if you have user's financial informations should be much different than if you only have their name or something like that. Also, keep in mind that dictatorial password requirements will only encourage users to create insecure passwords that meet the requirements. You should have a fairly high cap on the number of characters you allow in the password (if users want to make their passwords extra strong, let them). You should also allow for users to use both upper and lowercase, allow them to use digits, and also allow them to use symbols in the password.

As for requiring that the password is sufficiently secure, you should ensure that it is not identical to previous passwords except by a digit (e.g. incrementing a date in a password), you should ensure that it is not in the top XXX list of common passwords (e.g. don't allow "password1"), you should ensure that the password does not contain the username or user's email address. On the password change form, you should advise users to not use the same password as they use for their email address (or any other account that they connect with your website) -- although obviously you shouldn't attempt login to those connected services to check this.

Michael Aaron Safyan  2010-09-19 21:28:44
I find these requirements to be incredibly arbitrary without delivering much more security. For a game, my opinion of password requirements is basically have none. Don't trust the user's input for anything past the user's game experience, regardless if he's logged in legitimately or not, and make sure you're not liable for damages as a result of his password being cracked. Then it's none of your business and your users won't get pissed at you for arbitrary requirements. In short if you as the server are negatively affected by some user's account being hacked, you've already failed.
Mark Peters  2010-09-19 21:50:19
Tchalvak  2010-09-19 22:07:46
What does "securely hashed (8 iterations)" mean in detail? Why not just 1 iteration using a strong hash algorithm?
Ben Dunlap  2010-09-20 01:00:30
@Mark, I couldn't agree more. Perhaps I was not clear, because I communicated (or attempted to communicate) the same thing in the first few sentences, but then went on to describe how to make or allow for secure passwords, assuming they were necessary, in the rest of my response.
Michael Aaron Safyan  2010-09-20 04:22:41
@Ben Dunlap, It's 8 iterations using a strong algorithm (to increase the time that would be required to crack if the database was compromised).
Tchalvak  2010-09-20 15:00:00
@Tchalvak, are you certain that re-hashing iteratively like that doesn't introduce an unintended cryptographic weakness? I'm not claiming that it /does/ -- I just don't know, and my intuition tells me that using cryptography in well-understood, standard ways is always a good plan. In this case that would mean hashing once with a strong algorithm and using a unique salt for each record.
Ben Dunlap  2010-09-20 22:29:10
@Tchalvak: 8 is slightly more computationally expensive than 1 iteration, but why not 50 or 100? At least if you're protecting against that attack, which requires that the attacker has obtained your database of hashes.
Roger Pate  2010-09-21 06:42:41
@Ben: Hash algorithms are *designed* to be fast. You use multiple iterations to lengthen the time required for an attacker, who already has your stored hashes, from brute forcing the passwords and then being able to log into your live service (or see if that user has the same password elsewhere). Multiple iterations is recommended by cryptographers (of which I am not), but, again, it only helps in the scenario above.
Roger Pate  2010-09-21 06:44:45
It's not a fast hash already. I guess it doesn't matter, it uses the blowfish cyper, which allows multiple and increase-able iterations to be built in.
Tchalvak  2010-09-21 18:05:18
A: 

I was just thinking about this problem today.

Instead of the normal complexity requirements, I think it would be interesting to download one of the freely available MD5 rainbow tables and throw those passwords into a NoSQL database. Then, when a user goes to set their password, try looking up the password they choose. If you find it, reject that password.

At scale, this could be done with only one or two dedicated boxes hosting a lookup service, since setting/changing a password is such an infrequent activity.

Alex Forster  2010-09-19 21:52:02
Oh, that's great, I just need to change my password every so often to DDOS his server. :)
Lie Ryan  2010-09-19 22:35:11
+2  A: 

One thing I see occasionally is to send an automated e-mail to the e-mail on file notifying of the password change. This would give a chance/link for the recipient to revert the changes if they were done unintentionally or maliciously. Obviously this would require a similar warning period for changing e-mail addresses to provide any more security.

Mark Peters  2010-09-19 21:55:02
Excellent, thank you.
Tchalvak  2010-09-19 21:57:01
+8  A: 

Keep the changing of the password and any changes to the e-mail address separate. That way anyone wanting to change either has to know both.

When the user requests a password change e-mail them the link to the page. This will confirm that they are the owner of the account and alert them if someone is trying to access their account. Then when the password has been changed e-mail them the confirmation.

ChrisF  2010-09-19 21:57:23
Ah, that may be better than my current solution, which is to store the primary email indefinitely and email notices in the event of account change requests, so that no-one could hack in, change the email, and change the password, preventing the user from being able to access the account even via password reset.
Tchalvak  2010-09-19 22:19:36
+2  A: 

I noticed noone has suggested this yet, or I'm missing some of the subtleties in other's answer.

Only allow changing the password only if the user knows a "secret string" that will be sent to their email address when they request a password change. For convenience, you can make this "secret string" as an URL, so they can just quickly click it on their email. This ensures that the person requesting change of password can also login to the registered email (people tend to be more relaxed with their game account than their private email address).

As ChrisF has mentioned, you will have to ensure that the person cannot both change password and email simultaneously. You will also need to ensure that changing the email requires knowledge of the current password (you probably should not require that the user can login to his old email to read a "secret string", since the primary reason for changing email address is because they lose their old email address).

Lie Ryan  2010-09-19 22:44:40
+3  A: 

An interesting twist I would like is if I enter a really long password, please don't force me to include some specific types of characters. Many systems require really intricate combinations of letters, caps, numbers and special characters that I inevitably end up creating a 6 character "approved" password when all I wanted was 35 characters in only small caps - but that was rejected for being "insecure". Hah ^^

Also if you're using any class library, framework or template that has the actual code functionality built-in - use it instead of rolling your own. In fact, even if not - look at well-tested add-ons or external solutions (OpenId?) - security is hard and one of the worst places to reinvent wheels in imo.

Oskar Duveborn  2010-09-19 22:46:56
I hate sites that don't accept my passwords in exactly this situation. If you can crack "b9r7idhkeuumaedfa9mpwuphetmgnfkh7uak" through brute force, then including a non-alphanumeric character ain't gonna make it more secure.
Roger Pate  2010-09-21 06:36:54
How can you remember such password??
Philippe  2010-09-29 14:39:40
I use a sentence! Like "Today I'm going to rock the world again!" or whatnot... very easy to remember, very quick to type so it's hard to shoulder-hack. But I hate having to infuse numbers in it, it's just dumb if it's long enough ^^
Oskar Duveborn  2010-10-01 07:21:17
+4  A: 

This is probably obvious, but remember to do the whole password change process over an encrypted connection (HTTPS).

Adam Byrtek  2010-09-19 23:01:30

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security