Best Practices for Securing Forgot Password Feature

Recently, I authored an article at TestingCircus e-magazine and I like to publish the same on my blog so that I can reach out to my readers who are not subscribed to testingcircus or couldn’t read due to whatsoever reason(s). You can find my article in the following link  http://www.testingcircus.com/testing-circus-2014-august-edition/

Most of the applications having user interaction needs to be more secured and hence securing the application for attacks on stealing users credentials is important. Recent survey says that most of the applications are vulnerable at the user level. For example, its observed that Forget Password feature had most attacks in recent days.

Forget password feature needs to be implemented in such a way that it covers all the possibilities of any attack vector. On a recent case study about a leading security firm says that there was an attack on an social media application because of flaw in the forgot password feature. Hence I would like to come up with guidelines for implementing forgot password feature which ensures the application is more secured.

Initial step during forgot password could be gathering the identity of the user by asking various questions which would in turn proves the identity of the account like, what was the last reset password user remember? Last time user accessed his account? or any other similar questions which reveal the identity of the user.

The next step could be Security Question!

Security questions should not be the same old traditional way asking about mother’s maiden name/place of birth/ favorite teacher or any such questions which are easily crackable and letting the attacker to easily compromise the account. Instead if the application allows user to set his own set of questions) which could infinite set for an attacker to guess the answer.

One more important thing to remember here is that the input field for accepting the answer for the security question should be of type “password” this would protect from shoulder surfing, most of the applications does not do so, which is of more important. Number of attempts user can try answering the security question should also be limited or CAPTCHA needs to implement to prevent brute force attacks. Once the user provides the correct answer the password can be resetted in 2 ways.

  • Reset password link with a token associated to it
  • Temporary password

One of the wage methods on forgot password feature followed by some developers is directly sending the password which was set by the user during registration. This happens only when the password is saved in clear text. Good practice in storing the password is to be hashed+salted before storing it.

Reset password link with a token associated to it

  1. Once reset password link is used, link should be expired for the next use.
  2. Till the user resets password, the previous password should not be disabled.
  3. Even if the link is unused the reset password link needs to be expired within a defined time say 48 or 72 hours.
  4. Reset password link should be over an SSL
  5. Old/previous password reset link should be expired once new password link is generated.
  6. Token used in reset password link should be mapped to the users email ID and should not be used to reset password of another user.
  7. Token should not be sequential or easily guessable or a short one. It should be minimum of 16 characters so that it is not easily brute forced.
  8. Password policy should be maintained on reset password page.
  9. Display custom error message to avoid username enumeration

Temporary Password

  1. Application should force the user to change the password on the first login.
  2. If not used the previous password should not be disabled.
  3. Temporary password should be one time use and should not be able to use it again
  4. Flush the memory of the browser after password change
  5. 302 redirection after successfully resetting the password.
  6. Validity for the temporary password could be not more than 4-5 hours.
  7. Password should not be the same as old password.

Sending reset password link with a token associated to it is the best and economical way of implementing forgot password feature, it avoids usage of CAPTCHA and increased accessibility.

Published by

solidmonster

I'm what i'm.. Well.. I live by my own rules n hates restrictions of any kind. I believe that life is bout taking risks, making choices, changing little for others, enjoying the present, not worrying about future and taking the best from past ahead with you...Take it bit by bit and everything is possible if you want it of any kind! I'm fun loving, simple in thoughts, Love my family and buddies. Beware guys... I'm a very good observer! A good listener, when it comes to humor i love making others laugh ?? but not that much Working heee (I won't say much otherwise I'll become "self-proclaimed- 'Mr Giggler"!).I love music (singing,whistling-everything), and I'm Security freak!! when U know me clearly U'll love me. love Testing, love those who love me, hate really really those who hate me, like taking things to the center, always making friends, bad tempered, don't care what others think, decisive, daydreamer, emotional, soft spoken concerned and easily influenced..... very patient, secretive reserved n SERIOUS! Creates wonders brings smile on faces !! Who am I...??? u r wonder boy Sahas !!

Leave a comment