OWASP Periodic Table of Vulnerabilities - Insufficient Password Recovery
Insufficient Password Recovery
Root Cause Summary
Weak password recovery processes allow stronger password authentication schemes to be bypassed. Non-existent password recovery processes are expensive to support or result in denial-of-service conditions.
Browser / Standards Solution
Generic Framework Solution
The framework should provide all of the following configurable options, and require at least one of them for self-service password resets:
- Security questions
- Require a minimum of three different questions
- Support configuration-based, pre-defined questions as well as user-defined questions
- Store answers for each user according to the same security requirements as passwords (hashed with salt)
- Email reset
- Application emails a password reset link with an expiring nonce to the email address on file
- SMS reset
- Application sends an alphanumeric token to the cell phone number on file
- The application redirects the user to a form where the token must be entered
While the user is authenticating via one of the above methods, the following security principles should be applied:
- The reset flow should never send an actual password to the user at any time over any channel
- The reset form should not expose an account enumeration vulnerability:
- Token-based reset forms should claim to have sent the token whether the account exists or not.
- Secret-question-based reset forms should ask random questions (seeded with the user id so they are the same each time) if the account does not exist.
- Reset tokens should only be valid for a short period of time (<24 hours, configurable).
- Only the most recent reset token should be valid at any given time.
- The reset form should only be usable for a given account once during any given time period (~24 hours, configurable) in order to prevent denial-of-service, SMS/email bombing, and circumvention of password history rules.
- The reset token should be invalidated as soon as it is used.
- The current password should be valid until a successful reset is complete (also limits denial-of-service).
- All existing sessions for the user should be automatically terminated when a successful reset is complete.
Once the user successfully completes the alternate channel authentication, the framework should prompt for a new password to be entered twice, to ensure it is correct. The user should be notified via email or some other method whenever a successful password change takes place.
Custom Framework Solution
Custom Code Solution
Discussion / Controversy
Secret questions are fairly controversial. Email/SMS side-channel authentication is preferred.