2

We have a web app for which some users want to have a password reset function.

I don't want to enforce a particular level of security for the users. So if a user picks a strong password which she is able to remember and then proceeds to store sensitive data in our system, then we want to keep that data secure.

At the same time there is a constant stream of users who forget their password and who do not want to bother with security at all, in fact they don't even want to be asked questions about security.

How can I create a password reset function for the second group of users without reducing the security for the first group of users?

kasperd
  • 5,402
  • 1
  • 19
  • 38
  • 1
    You could have an option on the sign-up form "allow password reset" – paj28 Aug 10 '14 at 12:54
  • As well as paj28's suggestion, you could [allow reset via email without security questions](http://security.stackexchange.com/a/47748/8340). – SilverlightFox Aug 10 '14 at 13:38
  • @paj28 I suggested something like that already, but was told users must be able to get started using the app without having to answer such questions beforehand. – kasperd Aug 10 '14 at 14:28
  • @SilverlightFox That link does have good advice on how to avoid the form being used to check which usernames and email addresses are in use. I read similar advice on some of the pages I found trying to research the problem. An important question remains though, which is whether email is even an acceptable solution. There are two major problems with relying on email for this: They may be transferred in clear text. They may be rejected by over-eager spam filters. – kasperd Aug 10 '14 at 14:35
  • Maybe a text message reset.. Security questions can be bad for other reasons (eg you can't change the name of your dog as easily as a password) – SilverlightFox Aug 10 '14 at 15:03
  • @SilverlightFox Security questions does have one advantage though. Security aware users will understand, that they don't have to provide an accurate answer to the question. For example somebody who never owned a dog could pick "name of your dog" as the question and a random string of characters as the answer. – kasperd Aug 10 '14 at 15:23
  • Is the application internal over trusted networks (or over internet via VPN) or over the open internet for remote users? This may be an important distinction for the solution. –  Aug 13 '14 at 09:11
  • It is accessed over the internet by customers. All communication with the web app is done using https. – kasperd Aug 13 '14 at 09:31
  • What if you forgot the answer to the security question? – prusswan May 08 '15 at 11:46
  • @prusswan First of all. I never needed to remember the answer to any security question, because I would have the password in a password manager, hence I wouldn't forget the password in the first place. But in case I would need to know the answer to the security question for some obscure reason, I have it in the password manager as well. The password for the password manager, I don't forget because I need to use it daily to unlock my ssh key. And I use an error-correcting code to ensure that I can still get access in case I have forgotten one or two characters in the master password. – kasperd May 08 '15 at 20:15

1 Answers1

1

Have a user-configurable boolean value for "reset allowed".

If you have their e-mail / some out-of-band means of communicating with the end user

When the user clicks the "I forgot my password" link, if "reset allowed" is true, send a password reset link to the e-mail account associated with the user account. Make sure you use an e-mail service that first attempts end-to-end encryption (so that, if their mail server supports that, the link never gets sent in plain. And if their server doesn't support that, they aren't denied the link).

Rate limit the number of times that e-mail can be sent to the same account (e.g. 2 resets per day) so someone can't use that to spam the account. Don't let the user know if an e-mail has been sent or if the account they mentioned even exists.

If they don't click the password reset link, nothing should change. If they click it after a certain timeout period, or if between the e-mail being sent and the time of it being clicked "reset allowed" has been set to false, nothing should happen.

If you don't have an out-of-band means of communication

If "reset allowed" is set, use a challenge-response mechanism such as user-configurable security questions. If they answer the questions correctly, allow them to enter a new password. You might also want to consider hashing the responses.

You could, of course, also use something like TOTP, but chances are if they don't have the password, they also won't have the key needed for this.

Either way

Conduct the entire exchange over an encrypted channel. Unless you're trying to stop the NSA from stealing credentials, SSL should be enough.

Community
  • 1
Parthian Shot
  • 861
  • 2
  • 10
  • 18
  • Inevitability there will be users who answer no to the "reset allowed" question and forget their password anyway. Sooner or later sales will have one of them on the phone, how can I deal with that? – kasperd Aug 10 '14 at 16:35
  • @kasperd How will the sales people know they are actually talking with that user? If the user has a good way to authenticate themselves during that conversation then that may be suitable to remove the reset allowed restriction. – PwdRsch Aug 13 '14 at 15:56
  • @PwdRsch I wish I had a good answer to that question. If I give the sales people access to remove that restriction, I am sure the customer will be able to convince the sales people, that they are the legitimate owner of the account. – kasperd Aug 13 '14 at 16:20
  • @kasperd ""reset allowed" question and forget their password anyway. Sooner or later sales will have one of them on the phone, how can I deal with that?" Well, there's no good way to deal with that; any way you slice it, someone has to be inconvenienced. I suppose the question you have to ask is whether it makes more sense to put the onus on the user or on the service provider. If they have sales on the phone, and they haven't purchased a product, and the "new account creation" option is onerous, there are a few things you can do, but none of them are fun. – Parthian Shot Aug 13 '14 at 17:50
  • @kasperd If, however, they're talking to sales and they _have_ bought a product, then you (assumedly) have some sufficiently personal information about them which they can provide to verify their identity. Their name and credit card information or whatever they used. Although you have to be careful not to give any information away, and simply ask for it. – Parthian Shot Aug 13 '14 at 17:51
  • @kasperd And if they are on the phone with sales, they haven't bought anything, and creating a new account isn't much effort, why not just tell them to create a new account? Of course, that all depends on how much information they can store in the account before getting something. Honestly, I have no idea how you'd deal with that. It depends on your business process. But you could put up a big angry warning if they don't allow password reset along the lines of "Are you really, completely sure? You won't be able to get your account back if you forget it.". – Parthian Shot Aug 13 '14 at 17:54
  • @kasperd And make sure they can't accidentally click through that. Something along the lines of "Check this checkbox and click submit to indicate you have read and understood this warning." – Parthian Shot Aug 13 '14 at 17:55