How To

How to Do Password Resets Right

Ben Rothke on four overlooked security risks in the password reset process (and how to address them)

By Ben Rothke

It's difficult to create questions that meet all four characteristics, which means that some questions are good, some fair and the remaining (which unfortunately includes many that are in use today in password reset situations) are poor. A list of really good (and poor) security questions can be found at www.goodsecurityquestions.com/examples.htm.
Also, if you do use such question, you should also instruct your users not to post the answers on social web sites such as myspace. The question 'Who is your favorite sports team?' becomes an ineffective part of password protection if the user's myspace page includes Boston Red Sox logos.

Action item: Choose good password reset questions approved by goodsecurityquestions.com

Risk #4: Error code information release
Different self-service password reset systems require different fields. If a user enters an incorrect piece of data, the error code may be something like Member Not Found or Password Incorrect. Such error codes can reveal that an account does exist on the system and that the password is simply incorrect.
Action item: Determine what error codes you want to reveal, and reveal only those.

Conclusion
Users are notorious for choosing poor passwords. You don't want to exacerbate the issue by having an ineffective self-service password reset process. As part of your web-development process, it is imperative that all details of the self-service password process be appropriately defined and executed. Attackers will strike at every part of your web presence to find a breach. Make sure this is not one of them.

Ben Rothke CISSP, QSA (ben.rothke@bt.com) is a Senior Security Consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.

• Email
• Print
• Comments
• Digg This
• SlashDot

• How to Write Good Passwords