Skip to content

Eduguru

  • Tutorial and Training
    • SQL Server
    • Linux Tutorial
    • PHP Tutorial
    • Asterisk Tutorial
    • MySQL Tutorial
    • JavaScript Tutorial
    • C Tutorial
    • Who Breaks into Computer Systems
    • Planning and Performing Hacking Attacks
    • Maintaining Anonymity
    • Selecting Security Assessment Tools
    • Scanning Systems
  • Contact Us
    • Feedback
  • Business
    • Solutions
      • Job : Dialer Support
    • ViciDial – GoautoDial Support
    • Domain Registration
    • Web Hosting
    • Consultancy
    • Dialer Support
  • About Us
  • News
  • Donate Online
  • Offers
  • Newsletter
  • Jobs
  • Sale
    • Amazon
    • Get Computer Books
    • Amazon Sale Offer
  • Search
  • Python Tutorial
  • Search
  • WPMS HTML Sitemap
  • Log In
  • Log Out
  • Register
  • Lost Password
  • Reset Password
  • Download
  • Result
  • Newsletter
  • search
  • MySQL – Video Tutorial
  • Products Page
    • Checkout
    • Transaction Results
    • Your Account
  • Privacy

Forgotten Password Functionality

April 30, 2020 by Krishna

Like password change functionality, mechanisms for recovering from a forgotten password situation often introduce problems that may have been avoided in the main login function, such as username enumeration.

In addition to this range of defects, design weaknesses in forgotten password functions frequently make this the weakest link at which to attack the application’s overall authentication logic. Several kinds of design weaknesses can often be found:

■The forgotten password functionality often involves presenting the user with a secondary challenge in place of the main login, as shown in Figure -1. This challenge is often much easier for an attacker to respond to than attempting to guess the user’s password. Questions about mothers’ maiden names, memorable dates, favorite colors, and the like will generally have a much smaller set of potential answers than the set of possible passwords. Further, they often concern information that is publicly known or that a determined attacker can discover with a modest degree of effort.

Screenshot from 2020-04-30 22:12:00

Figure -1: A secondary challenge used in an account recovery function

In many cases, the application allows users to set their own password recovery challenge and response during registration, and users are inclined to set extremely insecure challenges, presumably on the false assumption that only they will ever be presented with them, for example: “Do I own a boat?” In this situation, an attacker wishing to gain access can use an automated attack to iterate through a list of enumerated or common usernames, log all of the password recovery challenges, and select those that appear most easily guessable.

■ As with password change functionality, application developers commonly overlook the possibility of brute forcing the response to a password recovery challenge, even when they block this attack on the main login page. If an application allows unrestricted attempts to answer password recovery challenges, then it is highly likely to be compromised by a determined attacker.

■ In some applications, the recovery challenge is replaced with a simple password “hint” that is configurable by users during registration. Users commonly set extremely obvious hints, even one that is identical to the password itself, on the false assumption that only they will ever see them. Again, an attacker with a list of common or enumerated usernames can easily capture a large number of password hints and then start guessing.

■ The mechanism by which an application enables users to regain control of their account after correctly responding to a challenge is often vulnerable. One reasonably secure means of implementing this is to send a unique, unguessable, time-limited recovery URL to the email address that the user provided during registration. Visiting this URL within a few minutes enables the user to set a new password. However, other mechanisms for account recovery are often encountered that are insecure by design:

■ Some applications disclose the existing, forgotten password to the user after successful completion of a challenge, enabling an attacker to use the account indefinitely without any risk of detection by the owner. Even if the account owner subsequently changes the blown password, the attacker can simply repeat the same challenge to obtain the new password.
■ Some applications immediately drop the user into an authenticate session after successful completion of a challenge, again enabling an attacker to use the account indefinitely without detection, and with- out ever needing to know the user’s password.
■ Some applications employ the mechanism of sending a unique recovery URL but send this to an email address specified by the user at the time the challenge is completed. This provides absolutely no enhanced security of the recovery process beyond possibly logging the email address used by an attacker.

■ Some applications allow users to reset their password’s value directly after successful completion of a challenge and do not send any email notification to the user. This means that the compromising of an account by an attacker will not be noticed until the owner happens to attempt to log in again, and may even remain unnoticed if the owner assumes that they must have forgotten their own password and so resets it in the same way. An attacker who simply desires some access to the application can then compromise a different user’s account for a period and so continue using the application indefinitely.

NEXT is..“Remember Me” Functionality………..,.,.,.,.,.,.,.,

Categories Tutorial, Web Hosting, Website Tags account recovery function, Attacking Authentication, forgotten password, Forgotten Password Functionality, HACKING, mechanisms, PASSWORD, URL, web hacking
Password Change Functionality
Remember Me” Functionality

Recent Posts

  • Online Degree vs Regular Degree in India: An In-Depth Comparison
  • Complete Guide to B.Tech Admission Process for IITs
  • How to Choose the Right Engineering Branch in India: A Complete Guide
  • Top 10 Diploma and Certificate Courses After 10th Grade
  • IGNOU Admission Process Explained Step by Step
  • Top 10 Online Coaching Platforms for IIT JEE in India
  • Understanding Generative AI: A Beginner’s Guide
  • Top 15 ChatGPT Prompts for Students to Boost Learning
  • How to Build an AI Agent Without Coding: A Step-by-Step Guide
  • 10 Best AI Resume Builder Tools for Indian Job Seekers
  • Top 10 AI Tools for Digital Marketing in India
  • Top 20 Free AI Image Generators to Try in 2026
  • 10 Effective ChatGPT Prompts for Indian Classroom Teachers
  • PM Scholarship Scheme: Eligibility and Application Guide
  • Jio vs Airtel vs Vi: Best Mobile Plans Compared
  • UPI Apps Compared: PhonePe vs Google Pay vs Paytm
  • Top 10 Budget Smartphones in India for 2026
  • Top 10 Web Hosting Services in India for Beginners
  • Top 10 Laptops for Students in India Under ₹50,000
  • AI Impact on Jobs in India: Skills to Embrace for Future Growth
  • Top Skills Employers Want in India 2026
  • Top 10 Government Jobs After Graduation in India
  • How to Prepare for UPSC Prelims: A Beginner’s Guide
  • Top 10 Courses After 12th Commerce for Bright Careers
  • Top 10 Courses After 12th Science in India: Complete Guide
  • Top Scholarships for Indian College Students in 2026
  • How to Check CBSE Class 12 Results and What to Do Next
  • Top Tips for CBSE Class 12 Board Exam Preparation
  • Top 10 AI Tools for Students in India in 2026
  • Top 10 Highest Paying Jobs in India for 2026
  • Ultimate JEE Main Study Plan for Class 12 Students
  • NEET Preparation Strategy for First Attempt: A Complete Guide
  • Ultimate CUET Preparation Guide 2026 for Indian Students
  • ChatGPT vs Gemini vs Claude: Which AI is Best for Indians?
  • The Fascinating Story of Mango: King of Indian Fruits
  • Why Mango is the King of Fruits: Benefits and Fun Facts
  • Discovering the Lichi Capital of the World: A Sweet Journey
  • Top AI Courses for 10th Class Students in India
  • Celebrating World Telecommunication Day: Connecting the World
  • Top Career Paths Post-AI: Future Employment Options Explored
  • Exciting Summer Projects for Students to Explore
  • Understanding the B.Tech Admission Process in IITs
  • Understanding CBSE Class 12th Results: Access and Next Steps
  • Understanding NAAC Grade Colleges and Their Admission Benefits
  • Understanding UUID: Creation and Applications in Technology
  • Top AI Tools to Simplify Your Website Creation Process
  • The Transformative Impact of AI on IT for Developers
  • Transforming Health Care: Benefits of AI Technology
  • Harnessing AI: Transforming the Fintech Industry in India
  • Transforming IT BPOs: The Impact of AI Technology

Recent Post

  • Online Degree vs Regular Degree in India: An In-Depth Comparison
  • Complete Guide to B.Tech Admission Process for IITs
  • How to Choose the Right Engineering Branch in India: A Complete Guide
  • Top 10 Diploma and Certificate Courses After 10th Grade
  • IGNOU Admission Process Explained Step by Step
© 2026 Eduguru • Built with GeneratePress