Why is password reset a security loophole?
(Last updated on February 7, 2020)
Authentication is a process of validating the identity of a user that is trying to gain access to an application or system. While many companies have taken the steps to implement strong authentication, they don’t always require users to follow the same process to authenticate themselves when resetting passwords. We often find that the application provides a separate procedure to authenticate users that is a lot less secure.
Here are a few examples that demonstrate bad password reset practices:
- Emailing old password in plain text
Several websites are using “I forgot my password” feature – users can click on the password reset link and get their old password delivered to their inbox. The problem with this is twofold – 1) The passwords are retrievable which means that they are either being stored in the site’s database as plaintext or encrypted with a reversible algorithm 2) Those passwords are sent without encryption so hackers sniffing network traffic could steal them. What make matters worse is that users are likely to reuse the same passwords and usernames on other websites or systems which opens doors for many other attacks. These bad password practices pose a security threat because it leaves customers’ personal details vulnerable to leaks.
- Emailing password reset link
It is a fairly common practice to send a password reset link via emails. Anyone that gains access to those emails can easily reset the passwords for the owners of these emails. Once an email is obtained from one source, hackers can easily re-use it to request password resets on other accounts that contain highly sensitive personal information such as financial details.
- Authenticate using secret questions that are not secrets
Secret questions, or challenge questions, are one of the most common ways of authentication. Users can unlock their accounts by answering simple questions such as “What was the first car you owned?”, “What is your mother’s maiden name” and “What is the name of your first pet?” The problem with secret questions is that they really aren’t secrets. Secret questions often relate to life experiences that are easily memorable but this makes them susceptible to social engineering. It is not hard to have a conversation with a person about aspects of their life that could constitute the secret questions without raising any suspicion.
Password resets create a security loophole. The best way to close it is to implement stronger authentication for a self-service password reset tool such as multi-factor authentication (MFA). Specops uReset offers flexible multi-factor authentication with over 20 identity services, ranging from social to popular SaaS identities to higher trust phone-as-a-token options. You can decide how many and which identity services are needed for authentication before performing a password reset.
Will the added security compromise usability? Absolutely not. Through the introduction of Weighted Identity, Specops uReset allows you to assign different weights to each identity service to reflect security. From an end-users perspective this provides a simple way to increase end-user understanding of security while also providing the added benefit of completing the reset task faster by having the ability to authenticate with higher weighted identity services.
Specops uReset received a Gold award and 5 out of 5 rating in a product review by Richard Hicks, a six-time Microsoft MVP. Read the product review here.