Have you ever noticed how strict some websites are when it comes to building your login credentials, but then the password reset routine is anything but secure? I have and I’m telling you right now most password reset routines suck to no end.
The Most Often-Used Password Reset Routine
Let’s say you’re trying to login to a particular website and you forgot to save your registration information and you can’t remember what you used as a user name or password or both. What usually happens when you go to reset your password is that you’ll be asked for your user name or your e-mail address and then a special link will be sent to you by e-mail. You click on that link and arrive at the website in question and the website allows you to change your password.
This particular routine is so insecure, I hesitate being a member of any such website. However, I use the LastPass plugin, which works for every major web browser, to store my user name and password the first time I log in, so I never need the password reset routine.
Why is the routine I mentioned insecure? Well, because e-mail is inherently insecure. You can make it secure when using it person to person by using personal certificates that encrypt the contents, but web servers don’t use personal certificates. E-mail messages can be held on servers in an encrypted state, but when being sent from mail server to mail server, it’s all in plain text.
Other Password Reset Routines
Some password reset routines require challenges and responses. They usually store five and you need to be able to answer at least three of them. Some routines only use one. The problem with most of them is that they use stock questions. What happens when the stock questions don’t apply or you don’t have answers for them?
If you’re designing a password reset routine like this, you should make the users aware of the consequences of a weak challenge and response pair and let the users create the challenges and responses themselves. Then, you should convert all the responses to all upper-case or all lower-case letters (while leaving numbers and symbols alone) simply because people tend to forget how they entered them the first time.
Some websites use a combination of e-mail and challenge/response sets. This is probably the best method I’ve seen even when the method is flawed by stock challenges. What’s needed is a better routine and only until a better method of logging in is widely adopted, one that doesn’t require user names and passwords at all.
USB Tokens plus Smart Cards and Biometric Devices
USB tokens and smart cards are two-factor authentications that supplement or replace the user name/password two-factor authentication. A biometric device can be one-factor authentication, which can also supplement or replace other authentication methods.
The problem is that most people aren’t going to spend money on these devices. When a person signs up for a secured website, that person is most likely going to expect to use a user name/password pair.
Here’s a quote from Marcus Ranum in an article titled “Why Passwords Aren’t Secure“:
“If you’re part of an organization that’s supporting anything that requires some kind of a password login, honestly, you should be looking at what you can do above and beyond passwords to protect your users against the inevitable time when their passwords are compromised.”
If passwords are a problem, then password resets are even much more so.