Why is password reset a security loophole?
(Last updated on August 2, 2018)
Authentication is a process of validating the identity of a user that is trying to gain access to an application or system. While many companies have taken the steps to implement strong authentication, they don’t always require users to follow the same process to authenticate themselves when resetting passwords. We often find that the application provides a separate procedure to authenticate users that is a lot less secure.
Here are a few examples that demonstrate bad password reset practices:
- Emailing old password in plain text
Several websites are using “I forgot my password” feature – users can click on the password reset link and get their old password delivered to their inbox. The problem with this is twofold – 1) The passwords are retrievable which means that they are either being stored in the site’s database as plaintext or encrypted with a reversible algorithm 2) Those passwords are sent without encryption so hackers sniffing network traffic could steal them. What make matters worse is that users are likely to reuse the same passwords and usernames on other websites or systems which opens doors for many other attacks. These bad password practices pose a security threat because it leaves customers’ personal details vulnerable to leaks.
- Emailing password reset link
It is a fairly common practice to send a password reset link via emails. Anyone that gains access to those emails can easily reset the passwords for the owners of these emails. Once an email is obtained from one source, hackers can easily re-use it to request password resets on other accounts that contain highly sensitive personal information such as financial details.
- Authenticate using secret questions that are not secrets
Secret questions, or challenge questions, are one of the most common ways of authentication. Users can unlock their accounts by answering simple questions such as “What was the first car you owned?”, “What is your mother’s maiden name” and “What is the name of your first pet?” The problem with secret questions is that they really aren’t secrets. Secret questions often relate to life experiences that are easily memorable but this makes them susceptible to social engineering. It is not hard to have a conversation with a person about aspects of their life that could constitute the secret questions without raising any suspicion.
Password resets create a security loophole. The best way to close it is to implement stronger authentication for a self-service password reset tool such as multi-factor authentication (MFA). Specops uReset ® offers flexible multi-factor authentication with over 20 identity services, ranging from social to popular SaaS identities to higher trust phone-as-a-token options. You can decide how many and which identity services are needed for authentication before performing a password reset.
Will the added security compromise usability? Absolutely not. Through the introduction of Weighted Identity, Specops uReset allows you to assign different weights to each identity service to reflect security. From an end-users perspective this provides a simple way to increase end-user understanding of security while also providing the added benefit of completing the reset task faster by having the ability to authenticate with higher weighted identity services.
Specops uReset received a Gold award and 5 out of 5 rating in a product review by Richard Hicks, a six-time Microsoft MVP. Read the product review here.
Often times when you introduce a new solution in the workplace, you are faced with user resistance. Resistance towards a new self-service password reset solution forces helpdesk staff to continue taking password reset calls, and distracts them from more important tasks. To address the user adoption problem, you need to identify all the barriers that prevent…Read More
User adoption is what drives your password reset program success. Here are five common pitfalls that you can avoid on your path to user adoption. Expecting the technology to speak for itself If you think you can just email users a long reference manual and they will start using the solution, it is unlikely to…Read More
Once you have gained the support of stakeholders, you will need to encourage users to enroll in the system. Once users are enrolled, they can authenticate themselves using the identity services that you have selected. Following these five steps will maximize the self-service user adoption rate and a faster and more successful project rollout. Step…Read More