| Main Archive Page > Month Archives > websecurity archives |
Re: [WEB SECURITY] quick question on password reset 'best practices'
From: Jeremiah Grossman <jeremiah_at_nospam>Date: Tue Jun 03 2008 - 16:40:47 GMT
To: WASC Forum <websecurity@webappsec.org>
Our first reaction is to always limit the amount of information we
disclose to the bad guys, including valid usernames/emails. However,
we're not seeing the value of the generic error messages in the login/
password reset flows as we might in web-based systems. For context
I'm talking about timing attacks as described by the guys at
Sensepost, a highly recommended read:
It's all about timing...
http://www.sensepost.com/blog/1303.html
I've seen similar attacks executed and vulns identified as they've described both before and after their papers release on a number of websites. For the most part an attacker can tell which usernames are valid on the website whether or not you get a generic error message by the speed of the response.
IMHO, the larger the userbase and more predictable the usernames, the less valuable generic message are. Big systems make bigger targets of username/email address harvesting. So on smaller systems, generic messages are advisable. On bigger ones, the value is likely diminished and would cost more in customer support if/when implemented.
Regards,
Jeremiah-
On Jun 2, 2008, at 10:37 AM, Joe White wrote:
> User requests password reset but enters wrong email address as the
> username:
>
> 1) Username = user email address
> 2) user forgets password
> 3) user goes to password reset page in the web app
> 4) user enters email address as username and requests that his/her
> password be reset
> 5) user then gets a message similar to the following:
>
> "If the username is valid, you should receive an email with your
> password shortly."
>
> however, what if user enters wrong email address? is it prudent to
> display something similar to the following message in this case?
>
> "This is not a valid username."
>
> The recon and intelligence gathering implications of the latter
> situation are potentially *huge* but how do you best handle when the
> user enters incorrect username?
>
> any thoughts?
>
> thanks,
> joe
>
> <<<>>>
>
> ----------------------------------------------------------------------
> ------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA