3

I noticed that Facebook sends out a "Forgot password" code of six digits, which is very short for a validation code, so I assume they are doing the following:

  • Set a session variable which is linked to the code so no other clients can use the same code
  • Possibly also, set maximum number of attempts of entering the correct code

I have two questions:

  1. Is the above the best way to do "Forgot password" links?
  2. Is an alternative not to set a session variable nor restrict attempts, but simply increase the length of the code so that brute force becomes impossible? How long would this code have to be, then? Or is this considered vastly insecure?

EDIT: The Facebook code is optionally sent to your mobile phone to be punched in manually on your computer, which must be the reason why they chose to keep it short.

forthrin
  • 1,741
  • 1
  • 13
  • 21

2 Answers2

3

They usually restrict the length of time that the code is valid. This is possibly the key security feature.

It is actually relatively safe. An attacker is not going to be able to brute force, as it will time out or overdo attempts, so they would need to compromise the email account.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
2

"so I assume they are doing the following" -- Why would you make those assumptions? Security flaws come from people making assumptions that turn out to be mistaken:

There should be plenty of room in this buffer

10^6 is too many for someone to guess

The OS will provide me with a good source of randomness

etc, etc, etc

Not sure I agree with Rory's assessment of "relatively safe". No one cares enough about my FB account to set up distributed pin-testing, but you could easily make a list of 100 Facebook accounts that are extremely valuable: Whitehouse, McDonalds, Jay-Z.

The question I would ask is why six digits? Was it cost prohibitive to use 8 or 10 or 20? Users don't have to type these in, they click on a link, right? Is it just that 6 digits was more aesthetically pleasing than 20 digits of A-Za-z0-9? Personally I like the look of 62^20 a lot more than 10^6.

Regardless of length, the pins should expire too. If I need to get into my account today, I'm not going to let that link sit in my email for a week. 60 minutes should be long enough. Can't use it by then, click the "forgot password" link again.

u2702
  • 2,086
  • 10
  • 11
  • The Facebook code is optionally sent to your mobile phone to be punched in manually on your computer, which must be the reason why they chose to keep it short. – forthrin Aug 13 '13 at 19:34
  • +1 Good call out. Asking a user to type in 20 digits would be error prone. 8 characters of A-Z,0-9 still presents 2821109 times more variations than a 6 digit number. I wouldn't think 4RE3H27L is that much harder than 499123, but I wouldn't be surprised if FB did some A/B testing and has a sense of the increase in error rate. – u2702 Aug 13 '13 at 19:49