best practices for a secure forgot password process

21 Aug 2009 - 4:22pm
4 years ago
3 replies
3931 reads
Laura Malone
2009

The use case I'm asking for input on is this: The user has forgotten
their password and types in an email address that is not in our
system. Currently we tell them that we don't have that email address
in our system and to try another or register. However, we have been
mandated to address the security issues around this approach.
Apparently, by telling the user we don't have that email address in
their system allows a hacker/attacher to keep trying other email
addresses until they get a match.

So in other words, there is a conflict between the ease of use in
telling a user who has forgotten their password that we don't have
their email address in our system vs. the potential breech of
security that this messaging apparently invites.

My question is, have you resolved this conflict in your website, and
if so, how?

Thanks for any insight,
Laur Malone

Comments

23 Aug 2009 - 11:27pm
Corn Walker
2008

On Aug 21, 2009, at 10:22 AM, Laura Malone wrote:

> My question is, have you resolved this conflict in your website, and
> if so, how?

Facebook pretends to send the email. Of course when the user doesn't
receive the message, they lose confidence in whether the "lost
password" function is working correctly.

One way to address this without compromising security is to send an
email with the error report to the non-registered address instead of
displaying the error on the web page. In this way the user still
receives valuable feedback (with a link back to site registration if
appropriate) while automated bots are unable to ascertain whether the
address was valid or not. You should also throttle the "forgot
password" function to avoid it being abused. For example, after five
attempts the ability to reset a lost password is unavailable for five
minutes.

Cheers,
-corn

Corn Walker
The Proof Group

24 Aug 2009 - 7:18am
Adrian Howard
2005

On 24 Aug 2009, at 05:27, Corn Walker wrote:
[snip]
> One way to address this without compromising security is to send an
> email with the error report to the non-registered address instead of
> displaying the error on the web page. In this way the user still
> receives valuable feedback (with a link back to site registration if
> appropriate) while automated bots are unable to ascertain whether
> the address was valid or not.
[snip]

The case where this falls down for the customer is if they mistype the
e-mail address rather than giving the incorrect one... but I agree it
is one solution.

> You should also throttle the "forgot password" function to avoid it
> being abused. For example, after five attempts the ability to reset
> a lost password is unavailable for five minutes.

Absolutely. This is a far better solution for folk.

Although it can be tricky in some circumstances (e.g. when you have
many users apparently coming to your site from one IP address
throttling one bad user can block access to many.)

Other solutions include things like security questions, etc. to allow
you to authenticate users without having to ask for their e-mail
address again. Or asking for alternate info that might be more
familiar for them on that particular site (e.g. the username as
opposed to the e-mail address). Or showing the user the e-mail address
again on the confirmation page with some appropriately direct text on
why this has to be correct.

If it were me - I'd be talking with whoever mandated changing the
current system first. I'd be trying to figure out what the relative
risk is to the business and the customer - which should hopefully
lead me to an appropriate solution.

Yes - the current mechanism does offer a certain kind of security
risk. Whether that risk is worth making it harder for the user to do
certain tasks depends on how much damage a malicious user could cause
you and your customers. If it's stopping them getting access to a bank
account it probably is. If it's changing their newsletter subscription
it probably isn't.

Cheers,

Adrian
--
http://quietstars.com - twitter.com/adrianh - delicious.com/adrianh

30 Aug 2009 - 10:00pm
Corn Walker
2008

On Aug 24, 2009, at 8:18 AM, Adrian Howard wrote:

> On 24 Aug 2009, at 05:27, Corn Walker wrote:
> [snip]
>> One way to address this without compromising security is to send an
>> email with the error report to the non-registered address instead
>> of displaying the error on the web page. In this way the user still
>> receives valuable feedback (with a link back to site registration
>> if appropriate) while automated bots are unable to ascertain
>> whether the address was valid or not.
> [snip]
>
> The case where this falls down for the customer is if they mistype
> the e-mail address rather than giving the incorrect one... but I
> agree it is one solution.

Sorry for coming back to this late...

The web page might display "A message was sent to your email address: foo at example.com
. Didn't receive it?" which would prompt the user to check their email
for the lost password and, if they entered an incorrect email address,
prompt a revisit to the site to try again.

Cheers,
-corn

Corn Walker
The Proof Group
http://proofgroup.com/

Syndicate content Get the feed