Main Archive Page > Month Archives  > websecurity archives

Re: [WEB SECURITY] quick question on password reset 'best practices'

From: Marcin Wielgoszewski <marcinw86_at_nospam>
Date: Wed Jun 04 2008 - 17:30:58 GMT
To: "WASC Forum" <websecurity@webappsec.org>

I agree with Martin on this one. The timing attack issue, and frankly password reset issue argument is all moot. To the original poster, perhaps implement some challenge-response questions and make the password reset require the user to complete multiple steps to complete.

If your data is soo sensitive that you are worried about timing attacks for enumerating USERNAMES, then you really should be using 2-factor authentication and out-of-band channels for password resets.

On Wed, Jun 4, 2008 at 12:52 PM, Martin O'Neal <martin.oneal@corsaire.com> wrote:
>
>> This is clever and would be fun to test out. Would anyone on the
> list...
>
> I don't want to always be the curmudgeonly old-fart, but the level of
> gain in some of this engineering may be way less than the work required
> to implement it, then tune it to a point where it works satisfactorily
> in all circumstances. An example of a situation where a minimal delay
> added to a response could quickly lose value is resource exhaustion; all
> the attacker has to do is to make the response time disproportionate to
> the arbitrary delay. The process may work as expected when you have
> single requests, but as soon as you fire 100 in parallel the backend
> process gets delayed and is back leaking timing information again.
>
> A better approach would be to solve the root issue; make the
> pre-authentication information as benign as possible, and get away from
> the use of public information as user identifiers (like email
> addresses).
>
> Martin...
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

---

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

• This message: [ Message body ]
• Next message: Jeff Robertson: "Re: [WEB SECURITY] HTTP Verb Tampering for Dummies"
• Previous message: Jeremiah Grossman: "Re: [WEB SECURITY] quick question on password reset 'best practices'"
• Maybe in reply to: Joe White: "[WEB SECURITY] quick question on password reset 'best practices'"
• Next in thread: Sebastian Schinzel: "Re: [WEB SECURITY] quick question on password reset 'best practices'"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]