A post on Stack Overflow1 seeks advice on the relative security between implementing a password reset mechanism that e-mails a temporary link vs. one that e-mails a temporary password. The question brings to mind some issues addressed in Chapter 5: Breaking Authentication Schemes of The Book. Stack Overflow questions typically attract high quality answers, which is a testament to the site’s knowledgeable readership and reputation system. Responses to this particular post didn’t fail.
Rather than retread the answers, let’s consider the underlying implication behind the question: it can be acceptable to send passwords via e-mail.
Don’t do it. Don’t give users the expectation that passwords might be sent via e-mail. Doing so is unnecessary and establishes a dangerous practice as possibly acceptable. If the site ever sends a password to a user, then the user might be conditioned to communicate in the other direction. An e-mail purportedly from the site’s administrators might ask for the user’s password to “verify the account is active”, “prevent the account from being terminated”, or “restore information”. The e-mail need not ask for a direct response. It may be an indirect prompt for the password using cautionary, concerned language that never the less sends the victim to a spoofed login page.
Site administrators will not elicit passwords via e-mail or any other means. Sites won’t ask for passwords except at authentication barriers. Sites shouldn’t send passwords — however temporary they may be.
“Newt. My name’s Newt.”2
Passwords — shared secrets ostensibly known only to the user and the web site — are a necessary evil of authentication. The password proves a user’s identity to a web site under the assumption that only the person who logs in as Newt, for example, knows the corresponding password to the account is rebecca.
A password’s importance to web security has a frustratingly indirect relationship to the amount of control a site is able to exert over its protection. Users must be trusted not only to use hard-to-guess words or phrases, but must be trusted not to share the password or otherwise actively divulge it through accident or ignorance. Only the luckiest of potential victims will click an e-mailed link and be brought to a friendly page:
“That’s it man, game over man, game over!”
Password reuse among sites poses another serious risk. The theft of a user’s credentials (e-mail address and password) for a site like http://www.downloadwarez.free might seen relatively innocuous, but what if they’re the same credentials used for allofmy.friends or http://www.mostlysecure.bank? Even worse, what if the password matches the one for the Gmail, Hotmail, Yahoo! account? In that case: “Nuke the entire site from orbit. It’s the only way to be sure.”
“Seventeen days? Hey man, I don’t wanna rain on your parade, but we’re not gonna last seventeen hours!”
Use random, temporary links for password reset mechanisms via e-mail. By this point you should be sufficiently warned off of the alternative of e-mailing temporary passwords. An obstinate few might choose to stick with passwords, arguing that there’s no difference between the two once they hit the unencrypted realm of e-mail.
Instead, use a forward-thinking solution that tries to secure the entire reset process:
- Maintain the original password until the user changes it. Perhaps they’ll remember it anyway. This also prevent a mini-denial of service where attackers force users to change their passwords.
- Use a strong pseudo-random number generator to minimize the chance of success of brute force attacks guessing the link.
- Expire the link after a short period of time, perhaps in minutes or hours. This narrows the window of opportunity for brute force attacks that attempt to guess links. It’s no good to let an attacker initiate a password reset on a Friday evening and have a complete weekend to brute force links until the victim notices the e-mail on a Monday morning.
“Maybe we got ’em demoralized.”
For those of you out there who visit web sites rather than create them there’s one rule you should never ignore. If the site’s password recovery mechanism e-mails you the original password for your account, then stop using the site. Period. Full stop. Should you be forced to use the site under threat of violence or peer pressure, whichever is worse, at the very least choose a password that isn’t shared with any other account. Storing unencrypted passwords is lazy, bad security design, and a liability.
1 Huzzah! A site name that doesn’t succumb to stripping spaces, prefixing an ‘e’ or ‘i’, or using some vapid, made-up word only because it consists of four or five letters!
2 Quotes from the movie Aliens. If you didn’t already know that stop reading and go watch it now. We’ll wait. See you in about two hours.