Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Resetting ASP.NET password - security issues?

I've seen various questions regarding this issue, but there are a couple of questions that haven't been asked. If the user forgets their password, I would like them to be able to reset it with only their email address (i.e. there's no security question/answer). The password is stored as a salted hash, so there's no recovery possible. Instead, I'd just like the user to enter a new password after confirming that they have requested a reset.

A common method that's been mentioned is to simply:

1) Create a random Guid/Cryptographically strong random number

2) Send a unique URL containing the random number to the user's email address

3) When confirmed, the user is asked to change password

However, isn't this open to a MITM attack? If sending a temporary passwords over the internet to an email is insecure, what's the difference between doing that and simply sending a unique URL which the attacker can navigate to? Have I missed a key step somewhere that will make this system more secure (Or is there a better way of resetting the password)?

Thanks

like image 633
keyboardP Avatar asked Jan 27 '10 22:01

keyboardP


1 Answers

If you construct your hash correctly, the url click will have to come from the IP address that requested the reset. This would require the MITM to spoof the IP and/or falsify headers. While this is possible, the more unique you can identify the hash to the system in question, the more difficult it becomes to "end-around" the hash.

It is also recommended that the guid be a one-way hash of certain criteria. It is also possible to encrypt system data in the request using a public key that a private key unlocks so that when the url is clicked, this same public encrypted system data must accompany the hash, and the only system that could unencrypt these values would be the private key held at the server. Basically a psuedo-PKI attachment to the hash.

like image 156
Joel Etherton Avatar answered Oct 16 '22 20:10

Joel Etherton