views:

399

answers:

6

Hello I want to to implement password recovery in my web application.

I'd like to avoid using secret questions.

I could just send the password by e-mail but I think it would be risky.

Maybe I could generate a new temporary random password and send it by e-mail but I think it is as risky as the above point.

Can I send a url by e-mail for example http://mysite.com/token=xxxx where xxxx is a random token associated with the user. So when the user navigates to that url he/she can reset the password.

Any ideas?

+4  A: 

Obviously, you can't send the original password by email, because you're not storing it (right?!). Sending a temporary password (that must be changed, because it only works for one login), and a link to reset the password are equivalent from a security point of view.

Matthew Flaschen
I'm storing the password with AES encryption so I could decrypt it and send it.
Enrique
There's really not a good reason to store the passwords in a reversible format, and likely using a symmetric algo like that would add about zero extra security while adding only a false sense of security. Use a proper hash algorithm such as one of the SHA family, or whirlpool, or another modern one, with a salt, and the passwords will be FAR more secure.
Kitsune
Storing the passwords with encryption is helpful, but not enough - if the attacker has access to your database, there's a good chance he has access to the rest of the system as well (not so for SQL injection, but true for many other types of attacks). And if your system can decrypt the passwords, so can he.
BlueRaja - Danny Pflughoeft
Kitsune is correct. If your database is compromised, it's very likely your AES key will be too. You should always use one-way cryptographic hashing for passwords.
Matthew Flaschen
Even if the outside attack is very unlikely, there is always a possibility of evil from inside. One of you co-workers might just decrypt the passwords, maybe even sell them. That's why you should only use hashes.
fish
+8  A: 

First off, do not store a plain-text copy of the user's password, or even an encrypted version. You want to only ever keep a hashed copy of the user's password.

As for recover solutions, I find that the recovery link to change the user's password is the best solution in my experience. It will probably be a bit more convenient for the user, while being largely the same from a security point of view as sending a new random password to be changed after next login. I'd still recommend having the recovery url expire after a reasonable short period of time, as well as only being usable a single time.

Kitsune
A: 

On my site, I just reset the password to some random 8 character string, and then send that in the email, and say "Here is your new password, now login and change it, if you want".

This way I have no need to save their password (i only save a SHA1 hash)

webdestroya
+2  A: 

It really comes down to how much security you want to have. One the one end of the extreme is a password reset process that involves contacting and certifying that you are who you claim to be, e.g. via id, because your mailbox could be compromised as well. Actually, as people tend to use the same password everywhere this is very likely. On the other end there is the standard approach that involves just sending out an email with a random new password.

"Secret" questions and answers are just another form of username and passwords with the fatal flaw that they are usually incredibly easy to guess, so good that you don't want to use them.

To your point about the token, I don't think it makes a big difference in overall security. Whether you send out a token that allows a user to change the password or whether you send out a random password right away doesn't make a big difference.

Just make sure the token is only usable once and preferably only in a limited time span, e.g. +24h after requesting it.

And, as pointed out by previous answers, NEVER EVER store plain passwords. Hash them. Preferably add salt.

ilikeorangutans
+7  A: 

When I was in the Air Force the security rule we had was: When setting or resetting passwords, do not send the user id and the password in the same email. That way, if someone is intercepting emails snooping for passwords, he has to successfully intercept BOTH emails, and be able to connect them, to breach security.

I've seen a lot of sites that use the "go to this URL to reset your password". Maybe I'm missing something -- I don't claim to be a security expert -- but I don't see how that is any more secure than just inventing a new, temporary password and sending it. If a hacker intercepts the email, why can't he go to that link and see the new password as well as the legitimate user could? It looks to me like extra hassle for the user with no security gain.

By the way, congratulations on NOT using security questions. The logic of this device escapes me. Since the dawn of computer security we have been telling people, "DON'T make a password that is information about yourself that a hacker could discover or guess, like the name of your high school, or your favorite color. A hacker might be able to look up the name of your high school, or even if they don't know you or know anything about you, if you still live near where you went to school they might get it by tryinging local schools until they hit it. There are a small number of likely favorite colors so a hacker could guess that. Etc. Instead, a password should be a meaningless combination of letters, digits, and punctuation." But now we also tell them, "But! If you have a difficult time remembering that meaningless combination of letters, digits, and punctuation, no problem! Take some information about yourself that you can easily remember -- like the name of your high school, or your favorite color -- and you can use that as the answer to a 'security question', that is, as an alternative password."

Indeed, security questions make it even easier for the hacker than if you just chose a bad password to begin with. At least if you just used a piece of personal information for your password, a hacker wouldn't necessarily know what piece of personal information you used. Did you use the name of your dog? Your birth date? Your favorite ice cream flavor? He'd have to try all of them. But with security questions, we tell the hacker exactly what piece of personal information you used as a password!

Instead of using security questions, why don't we just say, "In case you forget your password, it is displayed on the bottom of the screen. If you're trying to hack in to someone else's account, you are absolutely forbidden from scrolling down." It would be only slightly less secure.

Lest you wonder, when sites ask me for the city where I was born or the manufacturer of my first car, I do not give an actual answer tot he question. I give a meaningless password.

</rant>

Jay
+1 For most enjoyable rant about why security questions are bad.
Peter
+2  A: 

Hard to say what you should do, as pretty much any solution to this problem will weaken security. Unless maybe you want to investigate sending an SMS, callback verification, one-time password generators, or other such schemes that take password recovery to a different medium.

However, what you should not do:

  • Send the password - because after all, as has already been mentioned, you don't have it.

  • Generate a new temporary password - not only is this as insecure as sending the password, it also leads to the possibility of a denial of service attack. I can go to the site, pretend to be you, request a new password and then (if you haven't checked your email) you can't log in, don't know why and have to request a new new password ...

The token is probably the way to go. Receiving it notifies a forgotten password request, but doesn't take any action unless you confirm. You would also make it a one-time token with a relatively short expiry time to limit risk.

Of course, a lot depends on the application. Obviously protecting financial and other sensitive information is more critical than preventing your account being hacked on mytwitteringfacetube.com, because while it's inconvenient, if someone wants to steal someone's identity on a social network site, they can just open their own account and masquerade with stolen information anyway.

Duncan