Resetting ASP.NET password – security issues

asp.netasp.net-membershipforgot-passwordpassword-recoverySecurity

I've seen various questions regarding this issue, but there are a couple of questions that haven't been asked. If the user forgets their password, I would like them to be able to reset it with only their email address (i.e. there's no security question/answer). The password is stored as a salted hash, so there's no recovery possible. Instead, I'd just like the user to enter a new password after confirming that they have requested a reset.

A common method that's been mentioned is to simply:

1) Create a random Guid/Cryptographically strong random number

2) Send a unique URL containing the random number to the user's email
address

3) When confirmed, the user is asked to change password

However, isn't this open to a MITM attack? If sending a temporary passwords over the internet to an email is insecure, what's the difference between doing that and simply sending a unique URL which the attacker can navigate to?
Have I missed a key step somewhere that will make this system more secure (Or is there a better way of resetting the password)?

Thanks

Best Answer

If you construct your hash correctly, the url click will have to come from the IP address that requested the reset. This would require the MITM to spoof the IP and/or falsify headers. While this is possible, the more unique you can identify the hash to the system in question, the more difficult it becomes to "end-around" the hash.

It is also recommended that the guid be a one-way hash of certain criteria. It is also possible to encrypt system data in the request using a public key that a private key unlocks so that when the url is clicked, this same public encrypted system data must accompany the hash, and the only system that could unencrypt these values would be the private key held at the server. Basically a psuedo-PKI attachment to the hash.

Related Solutions

Effective Techniques for Password Retrieval in Modern Web Applications

It depends on the the level of security you are aiming for, support costs and usability concerns.

Emailing a password reset link is the preferred approach for a number of reasons:

Support Costs - This is the biggest factor from a business perspective. Users often forget even their password hints or use a fake mailing address or forget their user name. All of these are legitimate concerns for which you might get support requests. This in turn creates another issue, you have to establish the legitimacy of the user by asking them about recent account activity and what not. If you don't provide that level of support a lot of novice users will be disappointed. Emailing a password reset link mitigates these concerns because the users typically have one or two email addresses and they can easily recover their username/password by providing their email address.
Security Concerns - This is the biggest factor from a technical perspective. There are various concerns here which you have to weigh. A compromised email account means the hacker can go to access all of the users' services which allow a password reset link to be emailed. You can settle for middle ground which is to email a password reset link to the user which in turn asks the user a password hint question after which it allows them to reset their password. Again, you should never expose the user's password in any medium. In fact, if you have the capability to show them their password your system is already insecure because it implies you are not storing them using a secure hash like SHA-1 and a developer in your company can get at everyone's password.
Usability - This is the biggest factor from the user perspective. Emailing a password reset link requires the user go and check their email address which can means the time to achieve the task can go up to 2 or even 3 minutes. However, I would think that this is not a big deal. Most users don't seem to mind this because they feel they are at fault and this is a security measure in their best interest. I am only hypothesizing from personal experience and users in general might feel differently. I would put security as a higher priority than the user experience because users will rarely if ever need to retrieve their passwords (user has not logged in for a long time and forgot his password; user had saved his password in the browser which was reinstalled and some other edge cases).

How to not use ASP.Net Membership Security Question and Answer for custom password recovery

What I ended up doing was the following

public string ResetPassword(string email)
        {
            var m_userName = Membership.GetUserNameByEmail(email);
            var m_user = Membership.GetUser(m_userName);
            return m_user.ResetPassword();
        }

then I added a new method to use this value to change the password

public bool ChangeLostPassword(string email, string newPassword)
    {
        var resetPassword = ResetPassword(email);
        var currentUser = Membership.GetUser(Membership.GetUserNameByEmail(email), true);
        return currentUser.ChangePassword(resetPassword, newPassword);

    }

Best Answer

Related Solutions

Effective Techniques for Password Retrieval in Modern Web Applications

How to not use ASP.Net Membership Security Question and Answer for custom password recovery

Related Topic