Like password change functionality, mechanisms for recovering from a forgotten password situation often introduce problems that may have been avoided in the main login function, such as username enumeration.
In addition to this range of defects, design weaknesses in forgotten password functions frequently make this the weakest link at which to attack the application’s overall authentication logic. Several kinds of design weaknesses can often be found:
■The forgotten password functionality often involves presenting the user with a secondary challenge in place of the main login, as shown in Figure -1. This challenge is often much easier for an attacker to respond to than attempting to guess the user’s password. Questions about mothers’ maiden names, memorable dates, favorite colors, and the like will generally have a much smaller set of potential answers than the set of possible passwords. Further, they often concern information that is publicly known or that a determined attacker can discover with a modest degree of effort.
Figure -1: A secondary challenge used in an account recovery function
In many cases, the application allows users to set their own password recovery challenge and response during registration, and users are inclined to set extremely insecure challenges, presumably on the false assumption that only they will ever be presented with them, for example: “Do I own a boat?” In this situation, an attacker wishing to gain access can use an automated attack to iterate through a list of enumerated or common usernames, log all of the password recovery challenges, and select those that appear most easily guessable.
■ As with password change functionality, application developers commonly overlook the possibility of brute forcing the response to a password recovery challenge, even when they block this attack on the main login page. If an application allows unrestricted attempts to answer password recovery challenges, then it is highly likely to be compromised by a determined attacker.
■ In some applications, the recovery challenge is replaced with a simple password “hint” that is configurable by users during registration. Users commonly set extremely obvious hints, even one that is identical to the password itself, on the false assumption that only they will ever see them. Again, an attacker with a list of common or enumerated usernames can easily capture a large number of password hints and then start guessing.
■ The mechanism by which an application enables users to regain control of their account after correctly responding to a challenge is often vulnerable. One reasonably secure means of implementing this is to send a unique, unguessable, time-limited recovery URL to the email address that the user provided during registration. Visiting this URL within a few minutes enables the user to set a new password. However, other mechanisms for account recovery are often encountered that are insecure by design:
■ Some applications disclose the existing, forgotten password to the user after successful completion of a challenge, enabling an attacker to use the account indefinitely without any risk of detection by the owner. Even if the account owner subsequently changes the blown password, the attacker can simply repeat the same challenge to obtain the new password.
■ Some applications immediately drop the user into an authenticate session after successful completion of a challenge, again enabling an attacker to use the account indefinitely without detection, and with- out ever needing to know the user’s password.
■ Some applications employ the mechanism of sending a unique recovery URL but send this to an email address specified by the user at the time the challenge is completed. This provides absolutely no enhanced security of the recovery process beyond possibly logging the email address used by an attacker.
■ Some applications allow users to reset their password’s value directly after successful completion of a challenge and do not send any email notification to the user. This means that the compromising of an account by an attacker will not be noticed until the owner happens to attempt to log in again, and may even remain unnoticed if the owner assumes that they must have forgotten their own password and so resets it in the same way. An attacker who simply desires some access to the application can then compromise a different user’s account for a period and so continue using the application indefinitely.
NEXT is..“Remember Me” Functionality………..,.,.,.,.,.,.,.,