On Forgotten Passwords and Security

Friday, February 03, 2012

What do you do when a user forgets their password? There are a number of different approaches that can be taken. For an internal user within an organization, it usually means having to phone up the helpdesk.

But where an application is public-facing, running a helpdesk is usually cost-prohibitive therefore, self-service functionality is provided.

The challenge when allowing a user to self-service is that you could potentially open up a number of avenues for attack.

 

For example, error messages displayed on the screen can indicate if a user is valid or not. Which would make it quite easy for an attacker to script a variation of usernames and get responses to build up a list of valid ID’s.

The approach I’ve seen used quite well in a number of instances to allow a user to reset their password if they’ve forgotten it, is to ask some qualifying questions to establish the authenticity of the user.

Then email them a unique tokenized URL to their registered email address. You can increase security by giving the URL a fixed life of a few hours and ensuring it can only be used once.

Finally, once a user has clicked through the URL and successfully changed their password, email them a confirmation of successful password change.

Don't forget to like the video if it has been of any use to you. As always, I'm easy to stalk:

J4vv4D.com
@J4vv4D
Facebook.com/J4vv4D
youtube.com/infoseccynic

Possibly Related Articles:
10120
Network Access Control
Information Security
Passwords Authentication Application Security Access Control Best Practices Network Security Password Management Helpdesk Tokenization Javvad Malik
Post Rating I Like this!