tags:

views:

591

answers:

6
+5  Q: 

Why is challenge-response approach a poor solution for forgotten passwords?

My company is developing an online HR and Payroll application where securing access is critical. I'm clear on how to lock down most of the authentication/authorization processes, except for the 'Forgotten Password' page.

My initial plan was to require the user to enter both an e-mail address and a response to a previously selected/entered challenge question, with a temporary password being mailed to the e-mail listed (assuming the e-mail is valid). But I've read here and here (both on SO) that the challenge-response approach is insecure.

If we're only e-mailing a temp password though, is it really that insecure? The only more secure option I can think of would be to require the user to call their Customer Service Rep, which would greatly burden our employees.

What am I missing ... is there a better approach? Thanks!

+13  A: 

Don't email a temp password, email the user a URL+token to a reset-password page. That way no password is ever changing hands unencrypted. It's also immediately obvious to the end-user that their account has been compromised if they try to go to that page and the reset token has already been used.

Added from the comments:

I think challenge-response ("secret question") aspects actually make things less secure, because they are generally things that can be discovered by researching public info about the target. The fewer steps total, the fewer that can be broken without anyone knowing. Letting reset emails go early and often is a good way to let a human know the attempt is being made.

Rex M  2009-03-05 05:01:58
In that case, though, the token is equivalent to a password...
David Zaslavsky  2009-03-05 05:04:03
John Fricker  2009-03-05 05:06:57
Rex - good idea! So you're not opposed to the challenge-response as a requirement to obtain reset-password link?
Jess  2009-03-05 05:10:09
@David no, it's not the same. A password is a reusable secret known by both parties. The token is used once and thrown away; and it's only a message used to prove the identity of the requester by relying on the security of the true user's email system.
Rex M  2009-03-05 05:12:54
@LuckyLindy I think challenge-response aspects actually make things less secure, because they are generally things that can be discovered by researching public info about the target. The fewer steps total, the fewer to be broken. Letting reset emails go lets a human know of the attempt earlier.
Rex M  2009-03-05 05:16:49
@John Fricker's point is also valid - another good reason not to use temp passwords. The whole concept is risky.
Rex M  2009-03-05 05:19:46
@Rex M generally speaking, the user is required to change the temp password before using the application; that's what makes it temporary. I really don't see a difference with a one-time token.
mustpax  2009-03-05 07:01:46
The token idea only works if it's a two factor authentication system. For instance, with most token solutions, the token has a psuedo-random algorithm which displays a set of numbers. That changes every minute or so. So you have to have the token to get the numbers, plus you have to know the PIN.
K. Brian Kelley  2009-03-05 14:08:41
@K Brian Kelley you are talking about a physical fob, we are talking about a unique key used by the server to verify the identity of the emailer
Rex M  2009-03-05 16:22:08
The secret question challenge response is only as secure as the answer to the question is. If the answer to the question “what is your secret password” is only “password”, then it’s not the question that is insecure but the answer.
Gumbo  2009-03-07 20:59:47
So instead of asking for the “mother’s maiden name”, you should incite the user to make up some question with really secret answers instead of dispensing of this authentication measure.
Gumbo  2009-03-07 21:05:28
Non-password questions are fundamentally insecure because they are information that can be gleaned by researching the target. If a password is used in such a way, it is also insecure but passwords *can* be used properly. "Secret questions" cannot.
Rex M  2009-03-08 02:00:34
+3  A: 

As explained in this article, Governor Palin e-mail account was recently hacked using answers to previously asked questions. From the article:

As detailed in the postings, the Palin hack didn't require any real skill. Instead, the hacker simply reset Palin's password using her birthdate, ZIP code and information about where she met her spouse -- the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.

David Segonds  2009-03-05 05:41:54
I agree that challenge-response by itself is bad, but if we do it in conjunction with an e-mail back to the user (with a link that must be clicked to change the password), wouldn't that be better than an e-mail w/ link only?
Jess  2009-03-05 06:04:43
Yes, more layers are better.
David Segonds  2009-03-07 01:03:11
A: 

Wouldn't it be easy/feasible to outsource the whole password management just like SO did and use OpenId or similar? Of course this would add another dependency, but you'd trade that against the need to save (and secure) passwords and deal with them as you described.

Olaf  2009-03-05 05:44:47
In a corporate environment, that's not even remotely feasible.
Rex M  2009-03-05 05:48:24
I agree with Rex. We will be dealing with 10,000-40,000 users, many of whom will be computer illiterate (i.e. people logging in to view pay stubs, change 401K enrollments, print W-2s, etc). Requiring OpenId seems like a huge pain, and takes away some of our control over VERY sensitive data.
Jess  2009-03-05 06:06:41
well, fair argument. In other situations, taking away control over sensitive data would be a good thing though. (I fully accept that this doesn't apply here, but I like that there are so many different angles to this question)
Olaf  2009-03-05 19:00:26
A: 

You said it is an on-line HR and payroll application. Do you have the option of a user indicating he/she has forgotten his/her password and that generating a message to an HR representative or some official in the organization who can confirm identity and then issue a password reset?

K. Brian Kelley  2009-03-05 14:06:30
That's not a bad idea ... although most of the time the HR reps are going to be the ones accessing our system, plus in cases where their employees access it they might be annoyed changing passwords (viewing it as our job). Thanks for the feedback!
Jess  2009-03-05 17:01:27
+1  A: 

There are a few common ways to manage lost passwords:

  • The Secret Question: It is actually a weaker form of authentication, just like people above posted. User may choose something really simple and it is easy to guess. I advise against this, because it does not require any technical "hacking"

  • Mail a new password. To circumvent this control, access to the e-mail account is required or a Man-In-The-Middle (MITM) position is required: You either read the temporary password from user's inbox or intercept in the middle. This approach is ripe for misuse, because anybody can reset the password and force the user out of the system, if he can't read the e-mail with new password.

  • Mail a password reset hash, to circumvent this, you need access to inbox or MITM, just like in case before this, but no passwords are actually reset until confirmation is done. Thus, user can not be locked out of the system, even if he did not read the e-mail. Add a cooldown timer to one reset per 8 hours to prevent Your system from flooding user's inbox.

  • Consider some out of band communication, for example, in the printed contract, write down a PIN. Then have the user call Your helpdesk from a known phone number (check with Caller ID) and give his username and PIN.

Konrads  2009-03-07 20:50:06
We are considering a combination of your 1st and 2nd option. Wouldn't that be more secure than either by itself?
Jess  2009-03-07 22:02:46
A: 

In short, challenge questions are often the weakest link. They're easier to guess than a password and effectively operate as a proxy for a password, so they actually reduce security rather than enhance it by providing another attack vector that's actually easier to break. The Web Application Hacker's Handbook has some great information on this area.

Cory House  2010-08-04 15:09:48
Sure, but if entering the secret question resets and sends a password via e-mail, isn't that better than simply sending the password directly?
Jess  2010-08-05 02:26:56
@Jess - It's totally unecessary. If you simply send a link that allows for resetting the password and expires after a short period, there's no need to force the user to remember/manage additional secret data that they're highly likely to forget. Asking users who can't remember their password to remember exactly how they typed answers to other questions just so they can reset their password is a fundamentally flawed approach. And it unnecessarily makes the forgotten password process more of a hassle. The user has no recourse to reset their password if they can't recall their challenge answers!
Cory House  2010-08-06 13:07:40

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security