.

Best web app "password reset" method?

<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Mon Aug 29, 2011 9:44 am

Best web app "password reset" method?

Curious to hear opinions on the best method for users to retrieve/reset lost passwords...
Poking at security since 1986.  +++ATH
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Aug 29, 2011 10:12 am

Re: Best web app "password reset" method?

I will state the obvious. Don't email me my actual password :)

I think the password reset links that expire are good. Maybe even make people answer another question or punch in a code that they get as a text message on their cell phones for a 2 factor approach. HTTPS as well.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Aug 29, 2011 11:15 am

Re: Best web app "password reset" method?

To add on what cd1zz mentionned, assuming on a web site, With no human intervention on the server side and using a "Use Case" approach:

Using HTTPS,

1) User: Enter more than one pieces of information, for example username and email address, before clicking on "retrieve" password. This prevent account harvesting attacks.

2) System: Verify that both username and password match, generates a long random Id and link it with username in memory. Then, send an email to the user containing the id embedded in a URL (no username!!!). Link only good for a few hours. No need of temporary password here.

3) User receives the email, clicks on the link (HTTPS).

4) System checks the id with the id in memory, retrieve the associated username and displays a web page (always HTTPS) with at least one secret question.

5) User answers the question then click on submit.

6) System displays a screen for the user to enter a new password. User needs to login after to complete the process.

This would obviously be better and more secure if we could add:
- Secure Token
- More secret questions (2 or even 3)
- Even GeoLocation wouldn't be a bad idea (if you try to recover password from a different region than when you last successfully logged in)
- IP banned if attempting recovery to often...
- Account lock out for 10 minutes if more than 3 attempts to answer the secret questions

And I probably forget many little things...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software