Systems that implement a proper user management system include a Forgot Password service that allows the user to request a password reset.
Despite the fact that this functionality appears to be simple and easy to implement, it is a common source of vulnerabilities, such as the well-known user enumeration attack.
To protect the forgot password service, the following short guidelines can be used as a quick reference:
- Return a consistent message for both active and inactive accounts.
- Check that the time it takes for the user response message is consistent.
- Use a side channel to communicate the method for a password reset.
- For the simplest and fastest implementation, use URL tokens.
- Check that the generated tokens or codes are:
- A cryptographically secure algorithm was used to generate the random number.
- Long enough to protect against brute-force attacks.
- Safely stored.
- Single-use and will expire after a certain period of time.
- Make no changes to the account until a valid token is presented, such as locking it out.
The password reset process can be broken into two main steps, detailed in the following sections.
Forgot Password Request
When a user uses the forgot password service and enters their username or email address, the following steps should be taken to ensure a secure process:
- Return a consistent message for both active and inactive accounts.
- To prevent an attacker from determining which accounts exist, ensure that responses are returned in a consistent amount of time. Instead of using a quick exit method, this could be accomplished by using asynchronous calls or by ensuring that the same logic is followed.
- Use CAPTCHA, rate-limiting, or other controls to protect against automated submissions.
- Use standard security measures such as SQL Injection Prevention and Input Validation.
User Resets Password
After proving their identity with the token (sent via email) or code (sent via SMS or other mechanisms), the user should change their password to a more secure one. The following steps should be taken to secure this step:
- The user should double-check the password they created.
- Ascertain that a secure password policy is in place and that it is consistent with the rest of the application.
- Update and save the password using secure methods.
- Send an email to the user notifying them that their password has been reset (do not include the password in the email!).
- After creating a new password, the user should log in using the usual method. Don’t log the user in automatically, as this adds complexity to the authentication and session handling code and increases the likelihood of introducing vulnerabilities.
- Ask the user if they want to invalidate all of their existing sessions or if they want the sessions to be invalidated automatically.
Password Recovery Methods
To allow a user to request a password reset, you must first identify the user or find a way to contact them through a side channel.
This can be accomplished using any of the following methods:
- URL tokens.
- PINs
- Offline methods
- Security questions
These methods can be used in conjunction to provide greater assurance that the user is who they claim to be. You must always ensure that a user can recover their account, even if that means contacting the support team and proving their identity to staff.
Account Lockout
Accounts should not be locked out as a result of a forgotten password attack because this can be used to deny access to users with known usernames.