Saturday, November 13, 2010

Forgot My Password

Almost all online services provide a way to recover your password, in case you forget it.



And this is the first thing a hacker will look into, to gain control of your account.... so, this is something we need to design carefully...

Let's look at different ways this feature being implemented by major online service providers..

Secret Questions with Yahoo

- You need to set your Secret Questions at the time you sign up - and later you can change if you wish
- But - you need to make sure you set strong secret questions for the first time - if you set weaker ones there your account can be compromised at any time - even you change it later..
- Make sure answers to your secret questions cannot be found via any of your social networking profiles..
- What if somebody gain control of your account via the secret questions? and later change the original secret questions to a different set
- Yahoo still let you gain the control back
- You can go through 'Forgot Password' flow and ask for your original secret questions [not the ones the attacker did set]
- Then you can gain access to your account, but you will never be able to change the original secret questions, so if the attacker knows the original, he can comeback anytime and get the control of your account once again.
- A captcha being used

Password reset link to the email with Google

- You need to have a secondary email address registered
- Secondary email address is not shown to the user during the process of password recovery
- Password reset link being sent to the secondary email address and that link is valid only for a limited time frame
- Even though the password recovery link being sent - still the user can login with the original password, if resetting was not done
- No temporary passwords generated
- Once the password resetting initiated a mail being also sent to the original email address, so if this is an attacker who is doing this, the actual owner of the email account get to know something is going on
- A captcha being used

Password reset code with Facebook

- You need to have either an email address or mobile number registered with your account
- Once you initiate password resetting process, a code will be sent to you
- You need confirm the receipt of the confirmation code to reset the password
- Till you reset the password, you can use the original password to login
- No captcha being used

Password reset link to the email with Twitter

- Need to have an email address registered
- Password reset link being sent to the email address and that link is valid only for a limited time frame
- Even though the password recovery link being sent - still the user can login with the original password, if resetting was not done
- No temporary passwords generated
- No captcha being used

Original password sent back to the email

- Forget them, they store your passwords in clear text

Generate a temporary password and send back to the email

- This is better than the previous one
- Since the original password being replaced by the temporary one, if initiated by an attacker, the true owner won't be able to login till he rest again or check his email
- Should be protected with a captcha

1 comments:

Saliya Ekanayake said...

Nice post! Something funny with FB recovery that I experienced. I changed the password and in a nearby day I tried to login. It showed the error form with a message "This is your old password, you changed it recently". It's a good thing for humans, but felt really surprised to see this. Of course, they expire that memory after sometime. Now when I do that it will just say wrong combination.