Password Recovery Attacks

Overview

Password recovery attacks target the mechanism used by a website to reissue passwords to users who have forgotten them. The attack can potentially give an attacker full control over a user’s account.

What makes a site vulnerable?

Sites may be vulnerable to password recovery attacks if they employ mechanisms to reissue passwords for users who have forgotten them. These mechanisms must either determine that the user is the correct owner of the relevant account, or must securely deliver the password only to the known owner of the account. Sites which fail to either of these things will be vulnerable. To determine that the user is the correct owner of the account, the site must request confirmation of stored information about the user (personal details, etc.). The security of this method depends on how hard the stored information is to guess and how well the user protects it from discovery. As a result, sites which rely on publicly available or easily guessable information about the user will be vulnerable. To securely deliver the password to the account owner, the site must make use of stored details describing how to contact the user. This aspect of recovery may be vulnerable if the communication mechanism is insecure (e.g. plaintext email).

Impact of the attack

The attack potentially gives the attacker complete access to the user’s account. If the password is changed (or the password can be changed from within the account), then the attacker may also be able to lock the legitimate user out of the account. With access to the user’s account, the attacker can perform any actions the user could, including accessing personal information about the user, using stored credit card details, etc. He can also use the access to carry out actions in the user’s name, thus giving the attacker a degree of anonymity in his actions, and potentially framing the legitimate user.

The impact of password recovery attacks is increased by the difficulty in detecting the attack. If the attacker is able to locate the information required for recovery (e.g. birthdays, phone numbers, email addresses, etc.), then the attack will look identical to a legitimate recovery by the user.

Preventing the attack

The attack can be prevented or made more difficult in several ways. First, the stored information used to confirm the user’s identity can be made more difficult to guess. This can be done, for instance by asking the user for information which is obscure and unlikely to be publicly available. Secondly, a secure communication channel can be set up for the reissuing of passwords (e.g. encrypted email). If at all possible, password recovery mechanisms should be removed entirely as they increase the attack surface of the application. Forcing users to remember their passwords will mean they are more likely to do so, and any user who forgets will have to create a new account.