How to Do Password Resets Right
Ben Rothke on four overlooked security risks in the password reset process (and how to address them)
By Ben Rothke
April 03, 2008 — Web-based customer self-service password resets are a boon to any enterprise that manages user accounts. Users invariably forget their passwords on occasions, and an online, automated system that allows end-users to reset their own passwords is a benefit to everyone. It eliminates the need for a helpdesk or system administrator to manually service these reset requests, so both the user and the company can save time.
But with every on-line action, there are associated security risks. The security issue associated with password resets is that the reset process, if not executed correctly, can inadvertently reveal personal information that can then be used in an attack.
When going to a password reset page, some sites will use an email address or the person's mother's maiden name to initiate the reset. The problem with such an approach is that both pieces of information are often available through third-party data aggregation services, which means an attacker can use purchased data to reset a victim's password and thus gain access.
If you don't architect your customer self-service password reset process correctly, attackers can find those vulnerabilities, and exploit them. One of the most notorious instances of this process is with Igor Klopov, whose identity theft ring used such attacks as part of their MO.
Ensuring your customer self-service password reset process protect your customers is not difficult; it just takes some thought and attention to detail.
Risk #1: Aggregated data
Myriad data aggregation services make terabytes of personal information easily available. That information includes social security numbers, mother's maiden name, birth date, zip code, phone number, age, profession, income and more. If your security reset process requires such information, you may be introducing additional risk.
Action item: Data that is aggregated should not be part of your password reset process.
Risk #2: Inappropriate redirect
After a password reset, some sites will redirect the web page to the user's preferred login page. Imagine if an attacker attempts to initiate a password reset on an investment bank site, and then is taken to the bank's Your Portfolio page. At that point, the attacker knows the victim has a portfolio account.
Action item: Redirect to main web page.
Risk #3: Easy to guess password reset questions
Similar to risk #1, many sites will ask authentication questions that are extremely easy to guess. But the reality is that few websites use effective security questions. According to the website goodsecurityquestions.com, the answer to a good security question:
- cannot be easily guessed or researched
- doesn't change over time
- is memorable
- is definitive or simple