Resetting ASP.NET password - security issues?

views:

405

answers:

+4 Q:

Resetting ASP.NET password - security issues?

Hi, I've seen various questions regarding this issue, but there are a couple of questions that haven't been asked. If the user forgets their password, I would like them to be able to reset it with only their email address (i.e. there's no security question/answer). The password is stored as a salted hash, so there's no recovery possible. Instead, I'd just like the user to enter a new password after confirming that they have requested a reset.

A common method that's been mentioned is to simply:

1) Create a random Guid/Cryptographically strong random number

2) Send a unique URL containing the random number to the user's email address

3) When confirmed, the user is asked to change password

However, isn't this open to a MITM attack? If sending a temporary passwords over the internet to an email is insecure, what's the difference between doing that and simply sending a unique URL which the attacker can navigate to? Have I missed a key step somewhere that will make this system more secure (Or is there a better way of resetting the password)?

Thanks

+7 A:

If you construct your hash correctly, the url click will have to come from the IP address that requested the reset. This would require the MITM to spoof the IP and/or falsify headers. While this is possible, the more unique you can identify the hash to the system in question, the more difficult it becomes to "end-around" the hash.

It is also recommended that the guid be a one-way hash of certain criteria. It is also possible to encrypt system data in the request using a public key that a private key unlocks so that when the url is clicked, this same public encrypted system data must accompany the hash, and the only system that could unencrypt these values would be the private key held at the server. Basically a psuedo-PKI attachment to the hash.

Joel Etherton 2010-01-27 22:59:02

I like the idea of attempting to ensure the confirmation link click comes from the same computer as the initial reset request.

Nick Higgs 2010-01-28 01:08:01

Regarding the IP aspect, surely that part would be irrelevant? As an attacker, I would claim to forget the password myself, therefore the password reset request is coming from my (the attacker) PC. Performing a MITM attack, I would intercept the email, click on the link and change the password since it keeps seeing my IP address.

keyboardP 2010-01-28 16:45:09

Possibly, but this assumes that the attacker has already compromised the email account as well. The IP would only be one small subset of identifying information. There could be other metrics applied that would increase the complexity of the hash. The key would be not to rely on any one metric as each one must be compromised. The more that are required, the more difficult it is to go through. At a point it becomes a matter of effort vs. result.

Joel Etherton 2010-01-28 16:55:36

Cool, that makes sense. Thanks for the help, Joel!

keyboardP 2010-01-28 17:16:57

Take a look at this site for other data you can use to identify a browser: http://panopticlick.eff.org/

Greg 2010-01-29 21:48:21

@Greg: Now that is a handy site on footprinting. Thanks. Definitely going into the favorites.

Joel Etherton 2010-01-29 22:03:54

@Greg: Thanks, that's a great link! One for the bookmarks.

keyboardP 2010-01-30 18:10:19

+2 A:

Your means of authenticating the user is a shared secret (the password).

If the user forgets that secret, you need a way of establishing a new shared secret. No matter what way you go about it, you'll still have the problem of authenticating the user in order to share that new secret.

If the only thing you know about the user that could be used to authenticate them is their email address, then you'll need some way to confirm that the user requesting a reset is in control of that email address.

And the only way so far to do that is to email a secret to that email address and check if they received it.

Which is always going to be open to a sufficiently sneaky MitM attack.

The reason you don't send a temporary password is to avoid the issue of "the user can't be bothered changing and so keeps using the insecure temporary password instead of their own secure one."

Anon. 2010-01-27 22:59:18

Agree with all the above. Would just add that a temporary password should be single use: once it used to log the user in, it can't be used again and the user must change it, otherwise the user would need to request a new password. It doesn't get around the MITM attack by any means, but should help to a degree.

JonoW 2010-01-27 23:21:12

The irony of the temporary password is that it would probably be more secure than the user's actual password :DHowever, I'm going down the 'confirmation link' route which locks them out until the password is changed.

keyboardP 2010-01-28 16:46:18

With the MITM attack vector. Whould this be negated if when you request a new password be sent to you you are asked a secret. Then when the link from the email is sent to you and you click on the link you have to enter that same secret again?

Jonathan Stanton 2010-07-03 19:23:14

+1 A:

To mitigate the risk of a man in the middle attack I use the following measures:

A reset request can be used one time only.
If a reset request is not used, it expires after one hour.
All reset requests are permanently logged whether it was ultimately completed or expired.

Nick Higgs 2010-01-28 01:02:33

I would have the reset expire much faster than an hour. The intent to reset a password is for immediate access. It is not reasonable to expect an "honest" user is going to wait an hour to use the reset.

Joel Etherton 2010-01-28 05:04:41

ansaurus

tags:

views:

answers:

Resetting ASP.NET password - security issues?

related questions