3

I need to provide the Reset Password Feature for my product. For this I have two competing solutions:

  1. Send the password reset link in mail to the user
  2. Provide the Security Question based solution

Based on the assessment by our security team, the security questions are deemed not secure. The reason is that security questions generally ask for personal information like in which city you met your spouse, name of your elementary school etc. This type of personal information widely available on the net courtesy the social media.

So, is this assessment correct and should the security question based solution for reset password be avoided?

Anders
  • 64,406
  • 24
  • 178
  • 215
Manchanda. P
  • 69
  • 1
  • 4
  • 6
    Why are these solutions competing with each other? – techraf Jun 08 '16 at 07:25
  • 1
    What @techraf said ! You should be authenticating the user (security question) before giving them access (password reset link) ! – Little Code Jun 08 '16 at 07:28
  • @techraf: These solutions provide two different ways of implementing the reset password functionality, I can combine these two but that is not an option at the moment. – Manchanda. P Jun 08 '16 at 08:41
  • @LittleCode, By authentication you mean validating the answers to the security questions before providing the reset link. As I said earlier, that is also a solution but we can't go that route at the moment. Thanks. – Manchanda. P Jun 08 '16 at 08:44
  • 1
    @Manchanda.P , well forgive me, but quite frankly pretty stupid to blindly send out reset links without first taking a few steps to verify the identity of who you're sending it to ! (email accounts can get hacked etc.) – Little Code Jun 08 '16 at 09:49
  • 5
    @LittleCode why would you want them to remember a set of passwords before being able to get their reset email? If they've forgotten one then they've probably forgotten them all. – Robert Mennell Jun 08 '16 at 22:47
  • While Security questions do almost nothing, if you really want to improve security the way to go is adding more factors. This can be done in many ways (like only allow resets from within the corporate network) I believe a good middle ground would be to both use a email and a phone call (or slightly worse a sms) as means to reset an account. its harder to fool someone on the phone when doing phising and you can know the phone someone is using. – LvB Jun 09 '16 at 10:52

3 Answers3

2

I agree with your security team. The "security question" is not secure on its own: cities can be found over ip, names can be googled and nicknames of pets can be guessed.

However, you could combine both methods: first send the mail, and when the user clicks the link, ask the question. This way you would add at least a bit more security to the procedere. Also think about a lock (e.g. 12 hours) after three bad attempts to ensure bruteforcing isn't possible.

Jens Bannmann
  • 143
  • 8
licklake
  • 1,032
  • 1
  • 9
  • 22
  • Combining the two actively harms usability and is still something that can be googled or brute forced. Now they also have to be stored encrypted, and have the same security procedures in two places. – Robert Mennell Jun 08 '16 at 20:25
  • Yes thats right. This practice is just another option, clearly not the best. The only real safe way would be two factor authentication, but that implies the biggest expense too. – licklake Jun 09 '16 at 05:57
1

I agree with your security team, these kind of questions are too easy to lift from social media, online research or just guesswork. It can be made a lot better then 'what is your dogs name', but its still antiquated.

Depending on your needs, in most situations I recommend an third choice. Required mobile phone number registration and SMS to the mobile phone with a verification code on password change.

Sadly, some users have the same/similar password everywhere. And what if this customer of yours have had an attacker start with taking his email account? Then finding he have an account on your product from reading his emails. Then taking over his account with your company, then .. changing the password since you email the password changing link to him/her ..

Simply G.
  • 518
  • 3
  • 12
  • Thanks @Simply G, for your quick response. I understand that email account can also be taken over. My thought process was that the reset link in the email would have an expiry (probably of few hours). If user doesn't uses that link within stipulated time then (s)he would need to regenerate the same. Sending verification code to mobile phone is also a good option but it costs money (security always expensive :-) ). Thanks – Manchanda. P Jun 08 '16 at 07:13
  • Of course, as I said it depends on your needs. – Simply G. Jun 08 '16 at 13:29
  • 1
    Mobile phone messages are only security through obscurity. SMS is sent un-encrypted. – Robert Mennell Jun 08 '16 at 20:24
  • While there is a point to that, I'd say that the main issue is that SMS is the best current way to multi-factor authentication. Because 'everyone' owns a mobile phone. It doesn't make things worse from the reset-link email, most emails are sent in cleartext? – Simply G. Jun 09 '16 at 04:51
  • Yahoo, gmail, microsoft (live, putlook, hotmail, etc) are the three big ones and all use encrypted mail transfer. Most companies do as well because SSH/TLS enforcement on mail servers is just as easy to do on Web servers. – Robert Mennell Jun 09 '16 at 07:36
  • Also if everyone has a phone, everyone also has an email (and by that argument more people have emails than phones) – Robert Mennell Jun 09 '16 at 07:46
-1

Let's us an example of why security questions are a bad system:

You have forgotten your password, and go to a page to reset your password by answering questions. We all know these questions are horrible and easy to guess, or find out. So recomended advice is to choose an answer and change a few letter into numbers and symbols to prevent it from being easily guessed by people or machines. Now you've forgotten what those changes you made were! So worse yet if the answer was short it is easily brute forced with enough computing power. Let's do another comparison:

  • Password: Send a payload to a server to compare against a hash

  • Security questions: Send a payload to a server to compare against a hash.

The similarities don't stop there. To keep the personally identifiable information secure you must hash or encrypt it (ideally hash) it in the database. In other words security questions are nothing more than extra passwords to remember. OWASP even recommends against them because they fail to all of the exact same tests as passwords. They are hard to remember if safe from guessing, and worse yet actively harm usability. However to an attacker at this point it is only just slightly more viable for them to brute force the password on the account directly than trying to figure out or brute force the security questions and also hack the email account. You have gained no extra security because this actively hurts users if they forget these passwords security questions and it means they can't ever reset their password.

Only using a password reset link should be sufficient of the two methods because it also uses the security features of the email account, including rate limiting and hopefully mfa authentication. So really don't use password reset questions. Even better if the email uses TLS it is sent encryoted.

https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet#The_Problem

Robert Mennell
  • 6,968
  • 1
  • 13
  • 38
  • 1
    Reason for the down vote would be nice. – Robert Mennell Jun 08 '16 at 21:28
  • The point of a security question is that it is a fact about your life that you are not going to forget. "What city did you grow up in" is not something you have to keep in your password manager. The last two paragraphs assume that there is a support contact through which the security questions can be circumvented, but there is no basis for that assumption. There is nothing about a support contact in the question. – Sjoerd Jun 09 '16 at 07:10
  • `...and just the same amount of security as only using the reset email.`; your second sentence and it's already not true because an attacker needs to know or brute force security questions as well. How these questions should be chosen is a different topic, apparently not "What's your dog's name?" – Potaito Jun 09 '16 at 07:12
  • `If that happens enough and an attacker gains access to their email and then just emails support to get access to the account again` No, if properly implemented and applied the support would simply be able to provide a link to a reset form, which shows a bunch of security questions. And you could only reset the password if you had all answers. All questions should be on the same page to make things harder for a cracker. – Potaito Jun 09 '16 at 07:13
  • https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet#The_Problem – Robert Mennell Jun 09 '16 at 07:14
  • `If someone's emails address is compromised, a user is considered compromised` That's exactly why a combination of both, email **and** security questions would improve the security. because having access to the email is suddenly no longer sufficient for a cracker. – Potaito Jun 09 '16 at 07:14
  • Owasp seems to agree with me that it's a bad system. Let's change the language a bit and provide another answer. – Robert Mennell Jun 09 '16 at 07:16
  • Your linked source states in the problem description, that "*The result is that developers generally pick a set of dubious questions and implement them insecurely.*" This is true and highlights implementation problems today. However it does not mean that the whole scheme is a bad idea. If you then read their section **Steps**, they suggest exactly what I meant: First ask for an email, then send the link to a password page with a whole lot of easy to remember security questions. – Potaito Jun 09 '16 at 07:22
  • As said before, choosing those questions is very difficult and sometimes even geographically restrictive. Not every person using the internet has a social security number for instance. – Potaito Jun 09 '16 at 07:24
  • @potAito read the link I supplied. I have also modified my answer to prove it is exactly like a password. – Robert Mennell Jun 09 '16 at 07:25