Passwords are a tricky business. In real life, we don’t need to whisper secrets to prove who we are. Our faces (or identification cards, which are basically certified pictures of our faces) are instinctively easy to recognize. Online, we need to resort to more arcane measures, hence the proliferation of password-based authentication systems.
Unfortunately, people forget their passwords. Once that happens, the one and only thing that stands between a user’s account and the horde of vicious Internet attackers is gone. The user still wants to access their Fantasy Foosball account page, but how do we know it’s really them?
Forgotten password mechanisms deal with this use case. It would be difficult to operate a web site without one – you’d have to ask people to go to a physical location and show ID. A brief examination of these mechanisms shows how sites employ a variety of approaches and controls. Some are incredibly simple, such as emailing you a new password at a pre-defined email address, while others have multiple steps and safeguards to stop attackers.
Bad password reset mechanisms have led to several noteworthycompromises. Password reset is a classic security-usability tradeoff – the more you lock down the reset process, the harder you make it for the legitimate user to access their account. I wanted to see how major sites deal with the password reset use case, to try to figure out what are the accepted practices.
Additionally, I wanted to point out how the “weakest link” theory applies to password reset and authentication systems in general. You can have an incredibly strong password policy, authentication mechanism, etc., but if all an attacker has to do is guess your pet’s name, or brute force a four digit code, it’s all for naught.
I was partially (and retroactively) inspired by two papers from the WEIS 2010 conference recently mentioned by Bruce Schneier on his blog. In “Where Do Security Policies Come From?”, two researchers from Microsoft discover that the strength of password policies don’t correlate with site size, asset value, or number of users, but with competitive ecosystems and advertisement revenue. The more rigorously a site has to satisfy usability needs, the weaker the password policy. Another paper titled “The password thicket: technical and market failures in human authentication on the web” describes an empirical study of password systems at 150 popular web sites, including an examination of password reset protocols. The second paper actually has a great analysis of password reset that expands upon what the brief survey I did for this blog post, so if the subject interests you, I’d recommend following up with it.
There are a few basic security controls employed during password reset processes – secret Q&A, CAPTCHAs, and side-channels.
1) Secret Questions and Answers
When the user registers they provide some information, which may explicitly be for the purpose of resetting their password, which is considered secret enough to prove their identity. This may be accompanied by brute force countermeasures, like CAPTCHAs or request throttling.
CAPTCHAs are used to prevent a robot from filling out the password-reset form and performing a brute force attack.
3) Side Channels
When the user registers they provide a side channel address, such as an email address or a phone number, which can be used to verify their identity. The secret communicated through this side channel may be a temporary token or a new permanent password.
One other security mechanism I don’t mention here is the possibility of rate throttling password reset attempts, which would, like a CAPTCHA prevent brute force. Because detecting rate-throttling controls requires a much more active form of testing, I didn’t include it in my survey.
The following list of 14 popular sites password reset mechanisms shows that there are a variety of practices in place.