[thelist] changing password design

Simon Willison cs1spw at bath.ac.uk
Fri Sep 12 05:19:20 CDT 2003 

Tony Crockford wrote:

> On Fri, 12 Sep 2003 10:20:06 +0100, Simon Willison <cs1spw at bath.ac.uk> 
> wrote:
> 
>> Chris W. Parker wrote:
>>
>>> What's a good secure design for allowing a customer to change their
>>> password?
>>>
>>> I've come up with two options so far:
>>>
>>> 1. Take the user to a page that has a small form (three input fields).
>>> First they enter their old password, then enter the new password twice,
>>> submit the form and they are done.
>>>
>>> 2. They click a link says something like "Send instructions on changing
>>> password". The "instructions" in the email are basically a link for the
>>> user to click with a unique one time use id that is meant to verify that
>>> the person changing the password is actually the owner of the account.
>>> Assuming the malicious person does not have access to the victims email
>>> box they would not be able to change the victim's password and thus lock
>>> them out.
>>
>>
>> I see no advantage of #2 over #1. #1 relies on a "secret" that you can 
>> already assume is secure - their current paszsword. If someone else 
>> has this already then the user's security is already compromised. #2 
>> relies on something that may be insecure - their inbox. As a simple 
>> example, they could leave their PC on when they go to lunch thus 
>> giving an opportunity for a co-worker to request the instructions to 
>> the victim's inbox, change their password and delete the email before 
>> they get back.
>>
>> I would definitely go with #1.
> 
> 
> unless the reason they need a new password is they have forgotton their 
> old one.

Lost passwords are a different problem. In that case, since the more 
secure option (relying on their existing password) is unusable it is 
fair to move to plan 2, relying on the security of their inbox. Even 
then, their existing password should not be mailed to them in plain text 
as that could compromise their password (the malicious co-worker 
example), and since many people use the same password for multiple 
applications could lead to serious problems. Better is to send them a 
link to a one-time page for setting a new password. For changing their 
password though this step is unnecessary and potentially infuriating.

> usual approach to this is to store another secret (or two) such as pet's 
> name, mothers maiden name etc which they are required to enter to get a 
> new password; even a user generated question and answer pair if needed - 
> what's my favorite food - brussel sprouts

I've always thought systems that rely on another secret, in particular a 
mother's maiden name, are completely braindead from a security point of 
view. I don't have any statistics, but my understanding is that social 
engineering is the most common way for crackers to obtain a targetted 
user's password. Information such as a mother's maiden name or the name 
of a pet isn't secret, and could thus lead to a major security hole. 
They could be used to back up the security of the inbox (lose your 
password, you get an email containing a link to a one-time change 
password form which also asks for your secondary security information) 
but I would still question their usefulness - especially since I have 
had frequent occasions on which a system has asked me for my "special 
place" or "special date" and I've completely forgotten what I put for it 
when I signed up all those months ago.

For changing your password, I really see no reason not to just ask for 
the old one and then set the new one. Lost passwords require a different 
approach.

Cheers,

Simon

More information about the thelist mailing list