Ben Rothke on four overlooked security risks in the password reset process (and how to address them) Web-based customer self-service password resets are a boon to any enterprise that manages user accounts. Users invariably forget their passwords on occasions, and an online, automated system that allows end-users to reset their own passwords is a benefit to everyone. It eliminates the need for a helpdesk or system administrator to manually service these reset requests, so both the user and the company can save time.But with every on-line action, there are associated security risks. The security issue associated with password resets is that the reset process, if not executed correctly, can inadvertently reveal personal information that can then be used in an attack.When going to a password reset page, some sites will use an email address or the person’s mother’s maiden name to initiate the reset. The problem with such an approach is that both pieces of information are often available through third-party data aggregation services, which means an attacker can use purchased data to reset a victim’s password and thus gain access.If you don’t architect your customer self-service password reset process correctly, attackers can find those vulnerabilities, and exploit them. One of the most notorious instances of this process is with Igor Klopov, whose identity theft ring used such attacks as part of their MO. Ensuring your customer self-service password reset process protect your customers is not difficult; it just takes some thought and attention to detail.Risk #1: Aggregated data Myriad data aggregation services make terabytes of personal information easily available. That information includes social security numbers, mother’s maiden name, birth date, zip code, phone number, age, profession, income and more. If your security reset process requires such information, you may be introducing additional risk.Action item: Data that is aggregated should not be part of your password reset process.Risk #2: Inappropriate redirectAfter a password reset, some sites will redirect the web page to the user’s preferred login page. Imagine if an attacker attempts to initiate a password reset on an investment bank site, and then is taken to the bank’s Your Portfolio page. At that point, the attacker knows the victim has a portfolio account.Action item: Redirect to main web page.Risk #3: Easy to guess password reset questionsauthentication questions that are extremely easy to guess. But the reality is that few websites use effective security questions. According to the website goodsecurityquestions.com, the answer to a good security question:Similar to risk #1, many sites will ask cannot be easily guessed or researcheddoesn’t change over timeis memorableis definitive or simpleIt’s difficult to create questions that meet all four characteristics, which means that some questions are good, some fair and the remaining (which unfortunately includes many that are in use today in password reset situations) are poor. A list of really good (and poor) security questions can be found at www.goodsecurityquestions.com/examples.htm. Also, if you do use such question, you should also instruct your users not to post the answers on social web sites such as myspace. The question ‘Who is your favorite sports team?’ becomes an ineffective part of password protection if the user’s myspace page includes Boston Red Sox logos.Action item: Choose good password reset questions approved by goodsecurityquestions.comRisk #4: Error code information release Different self-service password reset systems require different fields. If a user enters an incorrect piece of data, the error code may be something like Member Not Found or Password Incorrect. Such error codes can reveal that an account does exist on the system and that the password is simply incorrect. Action item: Determine what error codes you want to reveal, and reveal only those.ConclusionUsers are notorious for choosing poor passwords. You don’t want to exacerbate the issue by having an ineffective self-service password reset process. As part of your web-development process, it is imperative that all details of the self-service password process be appropriately defined and executed. Attackers will strike at every part of your web presence to find a breach. Make sure this is not one of them.Ben Rothke CISSP, QSA (ben.rothke@bt.com) is a Senior Security Consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know. Related content feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO CSO and CISO C-Suite news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry news UK data regulator warns that data breaches put abuse victims’ lives at risk The UK Information Commissioner’s Office has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse. By Michael Hill Sep 28, 2023 3 mins Electronic Health Records Data Breach Government news EchoMark releases watermarking solution to secure private communications, detect insider threats Enterprise-grade software embeds AI-driven, forensic watermarking in emails and documents to pinpoint potential insider risks By Michael Hill Sep 28, 2023 4 mins Communications Security Threat and Vulnerability Management Security Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe