[OWASP-Security101] Password Reset Options

Michael Coates michael.coates at owasp.org
Wed Mar 14 00:35:30 UTC 2012


I thought I'd respond with a separate subject line and address the second part of your questions regarding password reset options.

I completely agree on your point regarding random temporary passwords versus password reset links with random tokens. From a security perspective they are equivalent - a single use randomly generated value that proves you have ownership of the email associated with the account.  The only difference is usability.

On the overall topic of password resets options, I'm a big fan of side channel password resets.  You can also combine an emailed link with a random token that is sent to a user's mobile device. 

Here are a few other OWASP resources on this topic:

Forgot Password Cheat Sheet - https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
OWASP Podcast - Dave Ferguson - Forgot Password - https://www.owasp.org/download/jmanico/owasp_podcast_83.mp3

Cheat Sheet Series: https://www.owasp.org/index.php/Cheat_Sheets
Podcast Series: https://www.owasp.org/index.php/OWASP_Podcast

Michael Coates | OWASP
michael.coates at owasp.org | @_mwc

On Mar 13, 2012, at 4:36 PM, Olivia Gillies wrote:

> Hi,
> I just signed up to this list and received my welcome email… which contains not only my password in clear text but also lets me know that the system will continue to send me my password each month in clear text unless I manually switch off the service.
> For a forum on application security that seems a little hypocritical.  Now, not only do I have a record of the password that I manually typed in less than 5 minutes earlier (seems unlikely that I will have forgotten it already), but my bosses (who can access to my corporate email if they so desire) and anyone in our IT department with access to our exchange server can also see it – and that’s without anyone doing anything malicious.  
> I understand the requirements of a mailing list differ from an internet banking application but surely good security principles should be adhered to at all times, especially given the number of my friends who I know still use the same password for all their online accounts even after I’ve explained to them 20 times why it’s a bad idea….
> I recently had a discussion with security experts on automated password retrieval who suggested that emailing even random temporary time limited passwords (forcing the user to change password on login) in clear text was a bad idea and that a unique link is better practice.    My argument was that if the email is intercepted then a unique link will provide exactly the same capability for the hijacker as a temporary clear text password and that the real security is in the temporary nature of the provided information (both the password and the time in which you have to use it).   Other options obviously include the use of predefined secret questions but I find sometimes these questions are either too obvious and the answers are available in the public domain or too obscure and you end up with users who forget not only their password but the answers to their secret question(s) too.   I’d be interested to hear what you guys suggest as the best practice for automated password retrieval?
> I find more and more that our security implementations need to strike a balance between risk vs user experience, the most secure options often provide a distinctly unfriendly and/or unintuitive user experience.  
> Cheers,
> Olivia 
> Olivia Gillies 
> Development Team Lead
> Digital Village 
> Level 1, Building 1 
> 85 O'Riordan Street 
> Alexandria NSW 2015
> t	+61 2 9469 5761
> f	+61 2 9469 5778
> e	Olivia.Gillies at traction-digital.com
> w	www.traction-digital.com
> The information transmitted may be confidential, is intended only for the person to which it is addressed, and may not be reviewed, retransmitted, disseminated or relied upon by any other persons. If you received this message in error, please contact the sender and destroy any paper or electronic copies of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states otherwise. Traction Digital Pty Ltd does not represent, warrant or guarantee that the communication is free of errors, virus or interference. 
> This email and its contents are the property of Traction Digital Pty Ltd ABN 40 092 342 375
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/security101/attachments/20120313/df09afa0/attachment-0001.html>

More information about the Security101 mailing list