How To

How to Do Password Resets Right

Ben Rothke on four overlooked security risks in the password reset process (and how to address them)

By Ben Rothke

April 03, 2008 — Web-based customer self-service password resets are a boon to any enterprise that manages user accounts. Users invariably forget their passwords on occasions, and an online, automated system that allows end-users to reset their own passwords is a benefit to everyone. It eliminates the need for a helpdesk or system administrator to manually service these reset requests, so both the user and the company can save time.

But with every on-line action, there are associated security risks. The security issue associated with password resets is that the reset process, if not executed correctly, can inadvertently reveal personal information that can then be used in an attack.

When going to a password reset page, some sites will use an email address or the person's mother's maiden name to initiate the reset. The problem with such an approach is that both pieces of information are often available through third-party data aggregation services, which means an attacker can use purchased data to reset a victim's password and thus gain access.

If you don't architect your customer self-service password reset process correctly, attackers can find those vulnerabilities, and exploit them. One of the most notorious instances of this process is with Igor Klopov, whose identity theft ring used such attacks as part of their MO.

Ensuring your customer self-service password reset process protect your customers is not difficult; it just takes some thought and attention to detail.

Risk #1: Aggregated data
Myriad data aggregation services make terabytes of personal information easily available. That information includes social security numbers, mother's maiden name, birth date, zip code, phone number, age, profession, income and more. If your security reset process requires such information, you may be introducing additional risk.

Action item: Data that is aggregated should not be part of your password reset process.

Risk #2: Inappropriate redirect
After a password reset, some sites will redirect the web page to the user's preferred login page. Imagine if an attacker attempts to initiate a password reset on an investment bank site, and then is taken to the bank's Your Portfolio page. At that point, the attacker knows the victim has a portfolio account.

Action item: Redirect to main web page.

Risk #3: Easy to guess password reset questions
Similar to risk #1, many sites will ask authentication questions that are extremely easy to guess. But the reality is that few websites use effective security questions. According to the website goodsecurityquestions.com, the answer to a good security question:

  • cannot be easily guessed or researched
  • doesn't change over time
  • is memorable
  • is definitive or simple

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Featured Sponsors
Sponsored Links

Revolutionizing Endpoint Security with a Single Agent

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

The Case for Business Software Assurance ~ Securing Your Applications

Configuration Assessment: Choosing the Right Solution

Envision Identity-Based Access Control for the Datacenter

Rolling the dice with your security? Take the Self-Assessment Test now

Digital Identity Protection and Data Security Get Personal

Solving Online Credit Fraud Using Device Reputation

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Data Protection: Challenges for the Traveling User

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

IS/IT Project Mgt. Credentials From Villanova - 100% Online

Learn how the new Quad-Core AMD Opteron™ processor improves performance

Key strategies for C-level executives and security staff

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage