WebApp Sec mailing list archives
Re: "Forgot Password" function
From: "Brecrost Jones" <brecrost () hotmail com>
Date: Fri, 18 Oct 2002 15:44:55 -0600
Kevin Spett wrote:
I'd like to remind everyone that unencrypted email offers no authentication or privacy. There is no protection against MITM attacks. Consider the following scenario: An, evil, mean, no-good hacker breaks into a mailserver.In an atrocious display of lack of respect for personal privacy, said hackerproceeds to peruse the mailserver's users' e-mail. This hacker sees a newsletter, account registration confirmation, order reciept, etc. from an online retailer, service, etc. The hacker uses the information in the email, which may or may not contain actual username, to go to the site and uses the handy dandy "I forgot my password, please email it to me" application.. The server complies with this request and emails the account holder a new password, or a link to where the new password can be obtained, or a cleverriddle whose answer is the new password, or whatever. Choose your method ofdelivery. The hacker, from his bedroom in a suburban California neighborhood, reads the password, vists the link, solves the riddle, etc. Since he or she (I'd like to give a shout out to all the lady hackers out there, keeping it realno doubt) has control of the mailserver, the hacker then makes sure that theemail never reaches the actual account holder. The hacker abuses the account in each and every last way possible, leaving no options for exploitation unexplored. The actual account holder recieves a Mastercard statement for thousands of dollars in goods he or she did not purchase and a visit from the Department of Homeland Security who demand to know why that person attempted to purchase maps of burglarly tools, weapons and controlled substances. What else do you do with stolen credit card numbers? Does this sound amazingly theoretical to anyone? It's not. This kind of thing happens each and every day in deep, dark dungeons of cyberspace. Theonly good solution is complete re-authentication of the account holder. Thelocal cable company in my area does this. If you lose your password to the bill paying application, you must enter all of your personal information(DOB, CC#, exp. date, address, etc.) again to get a new password. If you'vegot a problem with that, you have to call their "customer service professionals" and explain your case.
First off, thanks to everyone for their responses!The above outlines perfectly the issue I am worried about, and that is the inherent insecurity of any email-based solution. Unfortunately, I did not express this very well in my original post. I originally stated that I was concerned about sending the password in plain text, which was a mistake for two reasons: One, I didn't even consider that I don't have access to the plaintext password (I am storing it in the database as an SHA-1 digest), and Two, my actual concern is that the email itself is plain text, so no matter what the contents of the email (plaintext password, link to secure page allowing password change, etc.), if someone intercepts that email, they can gain access to the account (right?).
So I guess what I was looking for is something that does not use email at all, and something that doesn't rely on a "secret question". So maybe the solution is as mentioned above: several "secret questions" (i.e. essentially re-entering all or most of the account information), or the low-tech "give us a call" method. I'm afraid that both of those solutions may be considered too inconvenient for the user by my project managers, but I suppose that is all too often the issue with security-related questions, the tradeoff between convenience and security.
Thanks again for all suggestions. _________________________________________________________________Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Current thread:
- "Forgot Password" function Brecrost Jones (Oct 18)
- Re: "Forgot Password" function David Bullock (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Haroon Meer (Oct 18)
- Re: "Forgot Password" function Jeroen Latour (Oct 18)
- Re: "Forgot Password" function Chris Shepherd (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- <Possible follow-ups>
- Re: "Forgot Password" function Mark Curphey (Oct 18)
- Re: "Forgot Password" function Kevin Spett (Oct 18)
- Re: "Forgot Password" function Brecrost Jones (Oct 18)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Sverre H. Huseby (Oct 19)
- Re: Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- Password Recovery (long) was Re: "Forgot Password" function Charles Miller (Oct 19)
- RE: "Forgot Password" function wsmith (Oct 18)
- RE: "Forgot Password" function Matthew_Chalmers (Oct 19)
- RE: "Forgot Password" function William Bartholomew (Oct 20)
- Re: "Forgot Password" function Kevin Spett (Oct 20)