1. Talk about password resets, users, best practices, and
better future. Free speaker notes! Michal paek @spazef0rze
2. Users forget their passwords because they are told to
remember them and that's hard. Did you ever forget your password?
See, apps need to have resets.
3. Password reset mechanisms can also be good for the security
of the user accounts. Jabbim is a Jabber/XMPP server run by a Czech
company. Unfortunately they did not have automated password resets
when they needed it the most.
4. December 2014 125k plaintext passwords In December 2014 they
suffered a breach and the attacker accessed 125k passwords stored
in plaintext, though Jabbim had their reasons for plaintext, like
performance and legacy client support. Data segmentation was also
missing, but let's move on. The leak wasn't made public, but the
bad guy tried to sell it for a bitcoin or two.
5. No automated password resets The issue is that Jabbim
doesn't have automated password resets because they don't require
users to enter email address during sign-up, so Jabbim can't send a
reset link. Their password reset mechanism is manual and that
doesn't scale well.
6. In case of emergency Issue a blog post Jabbim could reset
passwords immediately for all their users and send them reset links
via email, but this is what they did instead. Some of my friends
lost access to their Jabber accounts because somebody has changed
their password before they were able to read the blog post
suggesting them to change their passwords. They've eventually left
the service because of poor security practices.
7. Your email maybe? Because _( )_/ If an email address is not
mandatory during sing-up it should be at least optional and the
benefits of adding one should be clearly stated. Breaches happen.
Loosing an account just because of one is another thing.
8. What are the benefits of adding an email? When something bad
happens with one's account or if the user forgets their password
the service provider can send a link with a random token to the
email address provided and the user can set new password once they
click the link.
9. 1. Random 16+ bytes 2.Expiring in 1 or 2 hours 3.Usable once
The link should be random random, not just random, not time based,
not a hash of something, should expire in few hours max so that the
chance of an attacker using a leaked token is limited. The link
should be usable only once for the same reason.
10. SHA-512 Hash the token with SHA-512 before storing it in a
database. It doesn't need to be a slow hash like bcrypt, because
the token has a high entropy already and is limited in time
anyway.
11. Option to invalidate & IP address and city The email
with the reset link should also contain option to invalidate the
token to minimize the chance of an attacker gaining access to a
valid link and reset user's password. It should be also nice to
include the IP address and the city from where the request
originated so that the user can tell if it was them or somebody
else.
12. Sometimes, the bad guys use this password reset feature to
see whether their neighbor has been using the service as well so it
might not be a good idea to provide more information than needed,
especially if you're running a dating site for example. Most of the
times it does not really matter because it's possible to use
sign-up flow to see whether the address is already registered with
the site or not. It's also important to limit the number of
attempts to access password resets.
13. Don't generate and email new password. I've seen a site
which always generated new 5 characters long password, upper and
lowercase letters only. In that case, someone's strong password
could be easily downgraded to a short one by just using the
password reset feature. Last but not least, don't send the original
password. You can't, you don't even know it because it's properly
hashed, right?
14. token=encrypt(email) This should be old news for every
developer but obviously it's not. One of the more interesting ways
of doing a password reset was this. The token was an encrypted user
email address which got decrypted when sent back and then used to
find the user. That would be fine but the site was leaking source
code and encryption keys too, so it was possible to reset password
for anybody. Just use a random token, seriously.
15. https://www.google.com/transparencyreport/saferemail/ The
bad thing about email is shown above. Roughly half of the email
traffic is not encrypted as of August 2015. So even if the web app
runs on HTTPS and the reset link is also HTTPS there's still quite
a high chance that anybody with some leet skills can read the link
while in transit. That's not what I'd call a secure password
reset.
16. https://starttls.info You can use starttls.info to see
whether your email traffic is encrypted and how good the encryption
is. It's sort of like SSL Labs Server Check for email. And even if
you score grade A, it's still not end-to-end encryption, just
between servers, so your provider can still read your emails. Your
account is essentially protected by DNS. Someone can just hack your
DNS servers and change the MX records and reset links will go
elsewhere. It's similar to SMS, that's not secure much either.
17. https://www.facebook.com/me/about?section=contact-info
Facebook did this to work around insecure email. They allow you to
upload your PGP public key and then they will encrypt all the
notifications they send to you, including password reset links.
Even if you probably won't use the password reset feature because
you use a password manager (right?) then this makes it impossible
for the attacker to reset your password even if they have access to
the message with the reset link because that is encrypted with your
public key and only you can decrypt it.
18. Off-the-Record Messaging https://otr.cypherpunks.ca/ Other
option of doing end-to-end encryption to deliver the links securely
could be the OTR library. It's supported out-of-the-box on numerous
instant messengers and has plugins for few others. It can be used
from eg. Node.js, Python, Go, and Java. Your users would need to be
friends with your app and once they are the app can send the reset
links securely to their instant messenger.
19. Disable password reset Or you can just let users disable
password resets completely. Just make sure you get the messaging
around that right, suggest using a password manager for
example.
20. Disable Insecure email PGP email OTR message Save Ideally,
the app would let the users select preferred method of delivering
the HTTPS password reset link. More transports could be added, but
some common ones do not support automated sending very well or at
all, like Skype for example.
21. Notify users of password change One thing the apps should
definitely do is to notify the users when they or someone else have
changed their password. Again, clear copy is crucial. Might also be
interesting to require password change verification similar to
two-step verification or two-factor authentication, but I'm not
sure yet how to handle cases like when the device is lost etc.
22. oassword1 passwrod1 assword1 Michal paek @spazef0rze
www.michalspacek.cz One last thing, when users forget their
password just don't store the failed attempts. Once the database
leaks the correct password can be recovered easily, here the
password was Password1. Remember, think beyond just emailing links
to people.