Skip to content

Eduguru

  • Tutorial and Training
    • SQL Server
    • Linux Tutorial
    • PHP Tutorial
    • Asterisk Tutorial
    • MySQL Tutorial
    • JavaScript Tutorial
    • C Tutorial
    • Who Breaks into Computer Systems
    • Planning and Performing Hacking Attacks
    • Maintaining Anonymity
    • Selecting Security Assessment Tools
    • Scanning Systems
  • Contact Us
    • Feedback
  • Business
    • Solutions
      • Job : Dialer Support
    • ViciDial – GoautoDial Support
    • Domain Registration
    • Web Hosting
    • Consultancy
    • Dialer Support
  • About Us
  • News
  • Donate Online
  • Offers
  • Newsletter
  • Jobs
  • Sale
    • Amazon
    • Get Computer Books
    • Amazon Sale Offer
  • Search
  • Python Tutorial
  • Search
  • WPMS HTML Sitemap
  • Log In
  • Log Out
  • Register
  • Lost Password
  • Reset Password
  • Download
  • Result
  • Newsletter
  • search
  • MySQL – Video Tutorial
  • Products Page
    • Checkout
    • Transaction Results
    • Your Account
  • Privacy

Forgotten Password Functionality

April 30, 2020 by Krishna

Like password change functionality, mechanisms for recovering from a forgotten password situation often introduce problems that may have been avoided in the main login function, such as username enumeration.

In addition to this range of defects, design weaknesses in forgotten password functions frequently make this the weakest link at which to attack the application’s overall authentication logic. Several kinds of design weaknesses can often be found:

■The forgotten password functionality often involves presenting the user with a secondary challenge in place of the main login, as shown in Figure -1. This challenge is often much easier for an attacker to respond to than attempting to guess the user’s password. Questions about mothers’ maiden names, memorable dates, favorite colors, and the like will generally have a much smaller set of potential answers than the set of possible passwords. Further, they often concern information that is publicly known or that a determined attacker can discover with a modest degree of effort.

Screenshot from 2020-04-30 22:12:00

Figure -1: A secondary challenge used in an account recovery function

In many cases, the application allows users to set their own password recovery challenge and response during registration, and users are inclined to set extremely insecure challenges, presumably on the false assumption that only they will ever be presented with them, for example: “Do I own a boat?” In this situation, an attacker wishing to gain access can use an automated attack to iterate through a list of enumerated or common usernames, log all of the password recovery challenges, and select those that appear most easily guessable.

■ As with password change functionality, application developers commonly overlook the possibility of brute forcing the response to a password recovery challenge, even when they block this attack on the main login page. If an application allows unrestricted attempts to answer password recovery challenges, then it is highly likely to be compromised by a determined attacker.

■ In some applications, the recovery challenge is replaced with a simple password “hint” that is configurable by users during registration. Users commonly set extremely obvious hints, even one that is identical to the password itself, on the false assumption that only they will ever see them. Again, an attacker with a list of common or enumerated usernames can easily capture a large number of password hints and then start guessing.

■ The mechanism by which an application enables users to regain control of their account after correctly responding to a challenge is often vulnerable. One reasonably secure means of implementing this is to send a unique, unguessable, time-limited recovery URL to the email address that the user provided during registration. Visiting this URL within a few minutes enables the user to set a new password. However, other mechanisms for account recovery are often encountered that are insecure by design:

■ Some applications disclose the existing, forgotten password to the user after successful completion of a challenge, enabling an attacker to use the account indefinitely without any risk of detection by the owner. Even if the account owner subsequently changes the blown password, the attacker can simply repeat the same challenge to obtain the new password.
■ Some applications immediately drop the user into an authenticate session after successful completion of a challenge, again enabling an attacker to use the account indefinitely without detection, and with- out ever needing to know the user’s password.
■ Some applications employ the mechanism of sending a unique recovery URL but send this to an email address specified by the user at the time the challenge is completed. This provides absolutely no enhanced security of the recovery process beyond possibly logging the email address used by an attacker.

■ Some applications allow users to reset their password’s value directly after successful completion of a challenge and do not send any email notification to the user. This means that the compromising of an account by an attacker will not be noticed until the owner happens to attempt to log in again, and may even remain unnoticed if the owner assumes that they must have forgotten their own password and so resets it in the same way. An attacker who simply desires some access to the application can then compromise a different user’s account for a period and so continue using the application indefinitely.

NEXT is..“Remember Me” Functionality………..,.,.,.,.,.,.,.,

Categories Tutorial, Web Hosting, Website Tags account recovery function, Attacking Authentication, forgotten password, Forgotten Password Functionality, HACKING, mechanisms, PASSWORD, URL, web hacking
Password Change Functionality
Remember Me” Functionality

Recent Posts

  • How to resolve -bash: netstat: command not found centos stream 9
  • python script to STT output in a text file
  • New Install Asterisk 18 from source on CentOS Stream 8
  • How to save audio stream from Asterisk to a file via WebSocket
  • create web socket and save data in a text file
  • How to capture and analyze traffic with tcpdump
  • Installing Asterisk 20 From source On Rocky 9
  • html drop down with search from table php mysql
  • How to Install and Use FFmpeg on CentOS 8
  • How to get duration of MP3 or wav any audio File in PHP
  • How to Change location Of MariaDB Data Directory
  • How to check partition details of MySQL table
  • internal server error when download large file php
  • iostat : How to monitor disk activity and CPU load average
  • Webrtc with Asterisk 16 : complete configuration with SIP
  • What is inode and where this is stored
  • How to create Bootstrap Dropdown button/link
  • How to check supported RAM type in Linux System
  • MySQL update table based on value of another table Join
  • How to check the Public IP: Mera Wala IP
  • How to fix WordPress 404 Errors, requested URL was not found on this server: Home Page works
  • How to create Round Buttons and Square Buttons
  • Basic and Simple Examples of Skills with CSS
  • How to SUM Columns value in MYSQL
  • How to create a data table in bootstrap PHP and MySQL ?
  • How to DELETE Data Into MySQL Database Using PHP ?
  • How to Create MySQL user and Grant permission ?
  • What is XML & HTML ? What is Difference Between XML & HTML?
  • What is MySQL Binary logs ,their usages and how to purge binary logs ?
  • How to Select Data Into MySQL Database Using PHP ?
  • How to Remove spaces from string in MySQL ?
  • What is Different Between CHAR & VARCHAR ?
  • How to Insert Data Into MySQL Database Using PHP
  • What is MySQL SELECT Statement And Example of MySQL SELECT Query
  • What is INSERT Statement And Example of INSERT Query ?
  • What is MySQL Cluster vs Replication ?
  • How to Protect your computer from viruses and malware ?
  • What is the Use of Motherboard in a Computer ?
  • Happy Teacher’s Day 2022 – Quotes and Greetings on Teachers’ Day
  • NDA exam date question paper 2022 download and solution
  • What is Need of Information Security?
  • What is Information Security ?
  • How to Secure Web server ?
  • What is JSP ?
  • What is DDoS Attack ? & How Google Stopped the Largest -ever DDoS Attack ?
  • what is Malware ? And How to Stay Protected from Malware Attacks?
  • Best Practices to secure from DDoS Attack
  • How to protect Your Site Against DDoS Attack
  • How to secure from DDoS Attack
  • What is DDoS Attack. Basic introduction of DDoS

Recent Post

  • How to resolve -bash: netstat: command not found centos stream 9
  • python script to STT output in a text file
  • New Install Asterisk 18 from source on CentOS Stream 8
  • How to save audio stream from Asterisk to a file via WebSocket
  • create web socket and save data in a text file
© 2026 Eduguru • Built with GeneratePress