Forgot Your Password?

I’ve seen three basic patterns for handling forgotten web site passwords:

  1. Send a change password link to the email address on file
  2. Ask one or more challenge questions (or personal information) to unlock the change password screen
  3. Send the password, in plain text, to the email address on file

There are different variations of these and other patterns do exist but these are the predominate ones I’ve encountered. I don’t have any stats on how prevalent each is or the secureness of each, however, I have my opinion.

Keep in mind that no password reset system is 100% foolproof. If someone really wants to get in to your account they probably can hack it, although the effort to hack a single account is very likely not worth the effort. For example, an email address can be hacked and the email generated from 1 and 3 could be intercepted. Through a bit of social engineering and research the answers for the second pattern could be had. Again this is probably not worth the effort for a single account.

Of the three though if I had to pick one I like the least it’s the third one. Having my password sent to me in clear text is disturbing from two aspects. First, anyone sniffing the network could intercept the password. Again this probably isn’t worth the time for a single account. The more disturbing aspect is how the password is stored in the site’s repository. Specifically I have no idea if the password is being stored in plain text or if the site is using a two-way encryption method.

Both methods of managing passwords are simply bad practice. Why do I say that? It’s simple, if the password can be accessed in either clear text or is stored unencrypted the site is subject to an attack on all its accounts. If I were a hacker (regardless of the color of my hat) these are the sites I would target. Rather than going after a single account at a time this method allows me to go after all of the accounts.

As a website user there isn’t a whole lot you can do to protect your account. Probably the best thing you can do, which I do, is utilize different passwords for different sites. This adds to your password management burden but this way if one account is compromised your other accounts have better odds of remaining safe and sound.

Comments

  • Anonymous
    June 06, 2011
    Look at the options frameworks such as the ASP.NET membership provider offer to somebody not wanting to spend too much time on implementing authentication. It'll come down to salted hashed passwords and randomly generated (initial) passwords sent by email. AFAIK with ASP.NET, change password links are more effort. Anyway, we'll all go OAuth or Facebook, sooner or later.