5

My company is developing an online HR and Payroll application where securing access is critical. I'm clear on how to lock down most of the authentication/authorization processes, except for the 'Forgotten Password' page.

My initial plan was to require the user to enter both an e-mail address and a response to a previously selected/entered challenge question, with a temporary password being mailed to the e-mail listed (assuming the e-mail is valid). But I've read here and here (both on SO) that the challenge-response approach is insecure.

If we're only e-mailing a temp password though, is it really that insecure? The only more secure option I can think of would be to require the user to call their Customer Service Rep, which would greatly burden our employees.

What am I missing ... is there a better approach? Thanks!

Community
  • 1
  • 1
Beep beep
  • 18,063
  • 12
  • 60
  • 76
  • +1 because this is a serious issue handled very badly by many websites. I'd give you +10 if I could. – Jason S Mar 05 '09 at 14:29

6 Answers6

15

Don't email a temp password, email the user a URL+token to a reset-password page. That way no password is ever changing hands unencrypted. It's also immediately obvious to the end-user that their account has been compromised if they try to go to that page and the reset token has already been used.

Added from the comments:

I think challenge-response ("secret question") aspects actually make things less secure, because they are generally things that can be discovered by researching public info about the target. The fewer steps total, the fewer that can be broken without anyone knowing. Letting reset emails go early and often is a good way to let a human know the attempt is being made.

Rex M
  • 135,205
  • 29
  • 270
  • 310
  • The purpose of the link+token is not to avoid the sending of a password but to avoid a PEBCAK when the user mistypes the temp password T&8yLIO. Users the reason temp passwords are bad, IMHO. – John Fricker Mar 05 '09 at 05:06
  • Rex - good idea! So you're not opposed to the challenge-response as a requirement to obtain reset-password link? – Beep beep Mar 05 '09 at 05:10
  • @David no, it's not the same. A password is a reusable secret known by both parties. The token is used once and thrown away; and it's only a message used to prove the identity of the requester by relying on the security of the true user's email system. – Rex M Mar 05 '09 at 05:12
  • @LuckyLindy I think challenge-response aspects actually make things less secure, because they are generally things that can be discovered by researching public info about the target. The fewer steps total, the fewer to be broken. Letting reset emails go lets a human know of the attempt earlier. – Rex M Mar 05 '09 at 05:16
  • @John Fricker's point is also valid - another good reason not to use temp passwords. The whole concept is risky. – Rex M Mar 05 '09 at 05:19
  • @Rex M generally speaking, the user is required to change the temp password before using the application; that's what makes it temporary. I really don't see a difference with a one-time token. – mustpax Mar 05 '09 at 07:01
  • The token idea only works if it's a two factor authentication system. For instance, with most token solutions, the token has a psuedo-random algorithm which displays a set of numbers. That changes every minute or so. So you have to have the token to get the numbers, plus you have to know the PIN. – K. Brian Kelley Mar 05 '09 at 14:08
  • @K Brian Kelley you are talking about a physical fob, we are talking about a unique key used by the server to verify the identity of the emailer – Rex M Mar 05 '09 at 16:22
  • The secret question challenge response is only as secure as the answer to the question is. If the answer to the question “what is your secret password” is only “password”, then it’s not the question that is insecure but the answer. – Gumbo Mar 07 '09 at 20:59
  • So instead of asking for the “mother’s maiden name”, you should incite the user to make up some question with really secret answers instead of dispensing of this authentication measure. – Gumbo Mar 07 '09 at 21:05
  • Non-password questions are fundamentally insecure because they are information that can be gleaned by researching the target. If a password is used in such a way, it is also insecure but passwords *can* be used properly. "Secret questions" cannot. – Rex M Mar 08 '09 at 02:00
3

As explained in this article, Governor Palin e-mail account was recently hacked using answers to previously asked questions. From the article:

As detailed in the postings, the Palin hack didn't require any real skill. Instead, the hacker simply reset Palin's password using her birthdate, ZIP code and information about where she met her spouse -- the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.

David Segonds
  • 78,317
  • 10
  • 43
  • 66
  • I agree that challenge-response by itself is bad, but if we do it in conjunction with an e-mail back to the user (with a link that must be clicked to change the password), wouldn't that be better than an e-mail w/ link only? – Beep beep Mar 05 '09 at 06:04
1

There are a few common ways to manage lost passwords:

  • The Secret Question: It is actually a weaker form of authentication, just like people above posted. User may choose something really simple and it is easy to guess. I advise against this, because it does not require any technical "hacking"

  • Mail a new password. To circumvent this control, access to the e-mail account is required or a Man-In-The-Middle (MITM) position is required: You either read the temporary password from user's inbox or intercept in the middle. This approach is ripe for misuse, because anybody can reset the password and force the user out of the system, if he can't read the e-mail with new password.

  • Mail a password reset hash, to circumvent this, you need access to inbox or MITM, just like in case before this, but no passwords are actually reset until confirmation is done. Thus, user can not be locked out of the system, even if he did not read the e-mail. Add a cooldown timer to one reset per 8 hours to prevent Your system from flooding user's inbox.

  • Consider some out of band communication, for example, in the printed contract, write down a PIN. Then have the user call Your helpdesk from a known phone number (check with Caller ID) and give his username and PIN.

Konrads
  • 1,945
  • 1
  • 22
  • 40
  • We are considering a combination of your 1st and 2nd option. Wouldn't that be more secure than either by itself? – Beep beep Mar 07 '09 at 22:02
0

In short, challenge questions are often the weakest link. They're easier to guess than a password and effectively operate as a proxy for a password, so they actually reduce security rather than enhance it by providing another attack vector that's actually easier to break. The Web Application Hacker's Handbook has some great information on this area.

Cory House
  • 11,526
  • 8
  • 65
  • 82
  • Sure, but if entering the secret question resets and sends a password via e-mail, isn't that better than simply sending the password directly? – Beep beep Aug 05 '10 at 02:26
  • @Jess - It's totally unecessary. If you simply send a link that allows for resetting the password and expires after a short period, there's no need to force the user to remember/manage additional secret data that they're highly likely to forget. Asking users who can't remember their password to remember exactly how they typed answers to other questions just so they can reset their password is a fundamentally flawed approach. And it unnecessarily makes the forgotten password process more of a hassle. The user has no recourse to reset their password if they can't recall their challenge answers! – Cory House Aug 06 '10 at 13:07
0

Wouldn't it be easy/feasible to outsource the whole password management just like SO did and use OpenId or similar? Of course this would add another dependency, but you'd trade that against the need to save (and secure) passwords and deal with them as you described.

Olaf Kock
  • 43,342
  • 7
  • 54
  • 84
  • 2
    In a corporate environment, that's not even remotely feasible. – Rex M Mar 05 '09 at 05:48
  • I agree with Rex. We will be dealing with 10,000-40,000 users, many of whom will be computer illiterate (i.e. people logging in to view pay stubs, change 401K enrollments, print W-2s, etc). Requiring OpenId seems like a huge pain, and takes away some of our control over VERY sensitive data. – Beep beep Mar 05 '09 at 06:06
  • well, fair argument. In other situations, taking away control over sensitive data would be a good thing though. (I fully accept that this doesn't apply here, but I like that there are so many different angles to this question) – Olaf Kock Mar 05 '09 at 19:00
0

You said it is an on-line HR and payroll application. Do you have the option of a user indicating he/she has forgotten his/her password and that generating a message to an HR representative or some official in the organization who can confirm identity and then issue a password reset?

K. Brian Kelley
  • 1,427
  • 8
  • 8
  • That's not a bad idea ... although most of the time the HR reps are going to be the ones accessing our system, plus in cases where their employees access it they might be annoyed changing passwords (viewing it as our job). Thanks for the feedback! – Beep beep Mar 05 '09 at 17:01