8

The famous Mat Honan hack got me thinking about e-mail password recovery, and how any link in the chain can break all the links preceding it. In Mat's example, that link happened to be the last link, and the entire chain broke down.

Specifically, Mat used his GMail address as the recovery email for all his services, and used his Apple e-mail as the recovery address for GMail. Therefore, once his Apple e-mail account was compromised, GMail was compromised, and all of his services soon followed.

I understand the need for email recovery for web services in general. However, using an e-mail recovery address for an e-mail service sounds like adding a redundant link to the chain, doubling your points of vulnerability (now your attacker can hack into either your primary or your recovery email account). Also, what is the recovery email you use for your recovery email? Having a recovery recovery e-mail adds yet another point of failure, and when you finally stop the chain and don't use one, you could find out you're locked out of it just when you need it the most!

True, the attacker may not know the address of the recovery mail, but as Mat's case demonstrated, he can deduce it (in his case figuring out Google's obfuscated pattern, where they hide some of the characters). And if you make it hard for them to deduce, you're making it hard for YOU to deduce - most of us use a single E-mail address, and if you set up a special address only for verification purposes you are likely to forget it a few years after.

I had a couple of ideas:

  1. Don't use a recovery e-mail for your primary e-mail at all. Simply activate 2-factor authentication and make it your strongest link (which you should do with all your important services anyway).
  2. Use a friend's e-mail address. If you have a friend/family member that you know cares about security as much as you do (and thus has 2-fact auth set up as well), you could use his address. Now an attacker has to hack two people, and it's highly unlikely he'd even guess which mail he needs to hack - you however will probably recognize it immediately (I suppose you could fall out of touch with that friend after many years, so perhaps a family member is preferable here). You could even set each other up as mutual recovery enablers.

I'd love to hear your thoughts on my analysis.

t0x1n
  • 181
  • 1
  • 4
  • 1
    If you have a decent ISP that will give you a static IP, you could host it yourself on a dedicated machine at home. Secure the machine properly and don't even install an IMAP server on it, so the only way to read the mails would be physical access to the server. –  Apr 30 '15 at 02:50
  • 1
    @AndréDaniel interesting idea but too much overhead. You'll need to maintain that server, back it up, etc. And even if it weren't, I believe it is more likely for someone to hack into my personal server than a GMail account (assuming a secure password). – t0x1n Apr 30 '15 at 13:40
  • 1
    Actually you don't need to even have it running all the time, you just need to turn it on when you need the recovery email (which is supposed to be hopefully never). And if the only thing on the server is a hardened SSHD and a correctly configured MTA, it would be pretty secure. There won't even be a password to bruteforce or security question breakable by social engineering. –  Apr 30 '15 at 17:52
  • 1
    I agree it would be pretty secure, but it won't be protected by guards with guns in a super-secure datacenter with all kinds of firewalls and NATs and whatnot. Still I conceded that is is probably secure *enough*. But what happens when I want to switch an ISP? Or some mixup takes place and they give my IP to someone else (I'm guessing static IPs are not meant for security applications). There's also the issue of backup, and seeing as the only true backup is on the cloud I now have a cyclic problem with the backup service's password! – t0x1n May 01 '15 at 07:47
  • 1
    If you're worried about physical access then you should first think about your computer itself. What's the point in compromising your recovery email server where you can install a keylogger on the main laptop and grab the passwords that way ? If you switch ISPs you update your domain's A or AAAA record to point to the new IP (yes you do need a domain at a registrar with tight security policies). Backup isn't needed, again, it's only a recovery address you'll hopefully never use, and when you do need it you just care about the message that just arrived right now. –  May 01 '15 at 07:53
  • @AndréDaniel so now the bottleneck is the domain registrar.. what makes if safer than GMail ? – t0x1n May 01 '15 at 12:56
  • If you keep the address (and thus the domain) secret it can help, or if you manage to find a local ISP/registrar that agrees to register the domain via physical presence as opposed to via phone or via the internet. Also some ISPs assign you a domain right away (in the form of `ip-1-2-3-4.something.reverse.isp.net`) that you can use directly without having to register a new domain. –  May 02 '15 at 00:02
  • In theory it's possible to send mail directly to an IP address like so : `someone@[1.2.3.4]`, but in reality you'll most likely have a hard time using that address because most sites use horrible home-brewed validation for their email and will reject many valid addresses, including this one. –  May 02 '15 at 00:05
  • Even if physical presence is required for the registration, surely you'd switch DNS records online... and keeping it a secret is good assuming the site doing the recovery doesn't blow it (I believe many do). More importantly, I can just open a dedicated recovery email address (e.g. on GMail) and keep that one secret - of course I'll have to remember the secret myself :) – t0x1n May 02 '15 at 08:56

3 Answers3

4

I would not consider using a family member or friend's email to be a good idea, for reasons you mention yourself or simply if they ever change a password. I would create a new email address and use that, but for no other purpose. That way you would also not be putting others at risk.

2-Factor is not a bad idea. The harder you make it for an attacker to compromise you - often by adding a personal touch, the better off you are. Nothing is ever completely secure based on the determination and skill level of a person or team of people determined to break in but by requiring steps and delaying their efforts allows more time for intrusion detection and countermeasures.

If you have more than one account online, like a bank account, a paypal account, and a main email account for example (among others) it might be smart to have different email addresses for recovery for each one. That way if one is compromised, then the others are not also compromised.

Jeff Clayton
  • 932
  • 7
  • 16
  • Full marks, as far as I'm concerned. If you never log in, the company's servers have to be compromised in order for your password to be revealed, which is a risk you run with all online services. – KnightOfNi Aug 27 '14 at 00:16
  • +1 Thanks Jeff. 1. Would you enable 2-fact auth for that account as well (the other factor being the same mobile phone you used for the primary two fact auth)? 2. I'm guessing you won't have a recovery e-mail for the recovery e-mail? 3. Will you use the same e-mail company for the recovery email (e.g. use Google for both primary and recovery)? 4. I'm still not sure what scenario the recovery e-mail is good for. If my primary mail is hacked, they can change it. If it's not hacked, it's unlikely I ever lose my phone number or forget my password (which is stored in a password manager anyway). – t0x1n Aug 27 '14 at 07:28
  • The recovery email is good if used early enough, when you realize you cannot log in and before the hacker changes it. You are right, it doesn't matter where it is if they know to change it. 2-Factor has the same problem, they can change the phone number in the account if they manage to get in the door in a different manner. The timing is what you are betting on. Both of these options can help... it would be better than having NO options. – Jeff Clayton Aug 27 '14 at 12:22
  • I actually believe that the recovery mail is only good if you actually lost your password (or phone). One should be working under the assumption that an attacker will immediately change it once your account is hacked. Also, could you address (1)-(3)? Thanks :) – t0x1n Aug 28 '14 at 07:34
  • Regarding 3, I did mention that however indirectly. The Mat Honan Hack you used as an example for concern showed that given the mind of a dedicated attacker, the chain of accounts mattered not where. A recovery email for the recovery email... If an attacker is aiming for specific targets you may have time to use this to effect repairs before they get far enough to close remaining entry points like this. – Jeff Clayton Aug 28 '14 at 10:56
  • I would do 2-factor if concerned about protecting the account. – Jeff Clayton Aug 28 '14 at 11:07
  • For you maybe consider having a few recovery locations for different accounts, not just one for everything. That would limit damages if one main account were breached. – Jeff Clayton Aug 28 '14 at 11:14
4

As I said, full marks to @JeffClayton for using an e-mail account EXCLUSIVELY for password recovery. However, for added security:

Every month, install a new version of TAILS to a USB drive. Use TAILS to make the account, and TAILS to access it. As soon as you have the fresh TAILS install on the drive, boot it up and change your password (that's every month). When you change your password, keep in mind that most passwords conform to a certain, limited set of rules: they're usually based off of 1-3 words, usually words that are personal to you, and they usually end in a number or special character. Therefore, I suggest picking 4-5 random words out of the dictionary, and putting your numbers and special characters somewhere in the middle of the string (perhaps a random 3-digit number between each word). Then, even if the server is compromised, as long as they implemented good hashing/encryption you should feel pretty safe.

Obviously, you should only use disposable e-mail addresses (not associated with any other accounts) for sites where anyone might be able to SEE your e-mail address.

KnightOfNi
  • 2,247
  • 3
  • 18
  • 23
  • 1
    Your kind words are appreciated, thank you. Maybe it possibly also might be a good plan to use a random password generator and then save them in a safe or safety deposit box. – Jeff Clayton Aug 27 '14 at 02:04
  • @JeffClayton Different people think differently about that - I would tend to think that the safe offers a new attack vector without any REAL plausible deniability. However, since neither of these factors come into play in the scenario we're describing, I would agree that a random password is slightly more secure against things like rainbow tables. – KnightOfNi Aug 27 '14 at 02:18
  • Interesting points. It certainly would pose an issue if the purpose were to be avoiding being caught for doing something needing a 'plausible deniability' recourse. – Jeff Clayton Aug 27 '14 at 02:25
  • @JeffClayton Sorry, "plausible deniablility" was probably the wrong phrase. I meant that if someone tries to force you to reveal your password, you don't know it, and so can't tell them. A bit extreme, but every once in a while you'll see an encryption company take it into account (as either TrueCrypt or AxCrypt did - not sure which...) – KnightOfNi Aug 27 '14 at 02:29
  • Great point. The key then would be that if one did get a safe or safety deposit box, one would have to not let anyone know that one existed. – Jeff Clayton Aug 27 '14 at 02:31
  • +1 thanks KnightOfNi. A bit too extreme for me, and I'd posit that inability to expose the password is *bad* in most cases, e.g. if the attacker threatens to harm you or your family. If you are the Pentagon, maybe, but even my e-mail address is not THAT important! – t0x1n Aug 27 '14 at 07:31
-1

The general idea for the email password recovery is the spreading of risk, or rather the dilution of risk through diversification. To wit, the probability of someone cracking into 2 separate accounts is less than breaking into one. It's another way for the providers to push responsibility to the end user and other providers.

munchkin
  • 393
  • 1
  • 5