Wednesday, June 6

Password Reset Process

While doing some reading on terminal23.net I found a link to another cool security site, mcgrewsecurity.

On the McGrew site, there was a link to a pdf on web security. The most interesting slide was titled "A cool experiment" and dealt with password storage for things like webmail and other online accounts.

Point being, password recovery is extremely important and should be tested prior to using any system.

From page 19 of the McGrew pdf:
  • Anytime you sign up for a new site, take the time to try out their password recovery system
  • Make note of the things it asks you
  • If they wind up emailing you your original password – Oh snap! They're not hashing them at all!
  • Otherwise, take a look at how their reset process works

Important takeaways involving recovery:

  • A password emailed back to you in its original form has not been hashed, as listed above.
  • A non-hashed email means it could be stored and sent in clear text (depending on supporting system architecture).
  • Systems which do not reveal the original password are best. You should not be able to directly recover the original password
  • Users should have to provide password "challenge" information. Just think of what your banking institution makes to fill out. They get it.... however....
  • With the above in mind, what happens when we start overusing the same questions?
  • What is your mother's maiden name?!?

Counter point

  • Overused passwords and weak recovery processes will lead to endless access to personal information.

Expanding upon the above information:

  • Think about the systems you use and the password recovery process. Is it too easy to get the password? What information do they store about you and what type of verification checks are in place to protect your information?
  • Think personal, self-developed, and or applications used by your employer.
  • Building on the previous points, think about password management in the enterprise. How does your employer manage this process? Automated? Manual?
  • Another fun "lab" is to test your web mail authentication process. Fire up a sniffer and see what you can find. I know yahoo mail hashes the password in memory within a java applet prior to post. The login ID is sent in the clear.
  • Think about other systems such as your VoIP softphones! How are those passwords stored and transmitted?

Get past the forgetfulness and eliminate the need for a password reset process.

  • Use a password keeper. I have been testing Password Safe for almost a year with good results. You can find the latest build here. The tool was originally a creation of Mr. Bruce Schneier.
  • Think about recovery, transmission, and storage of your passwords.
Cheers,
Steve