Brown Hat Security - Password Recovery Procedures

Password recovery procedures - for when users forget their passwords - are often an excellent way for an attacker to compromise security at an organization. The ability to bypass the normal authentication procedures enables the attacker by allowing them to ignore the usual security measures - sometimes in a way that allows access to many accounts instead of just one. A password recovery procedure is a replacement for an authorized credential - it grants access to a protected asset - and should be treated as one.

First of all, the way in which credentials are stored matters. Encryption is useful for many things, but password storage is not one of them. An encrypted password database is inappropriate because a compromise of the database can easily reveal the whole organization's credential list. Hashing functions, on the other hand, are "one-way" functions - even if the database is leaked, it will be very difficult to "unhash" the data; most of the time, the techniques for doing so amount to a slightly targeted brute forcing. Additionally, hashes have the property of all being the same size - the SHA512 hash for "weasel" is "4e4bd5e4b453eeb33c20f7d212640aa3ead512b90450bbc425a31247e82cb32394d8a947505334e723f0f6595cb440d1226d367cd7e50d48262bfe64a8026443" while the one for the text of "War and Peace" is "8d0eeb696f0be27ea7c0951be3962b92425afd3b9031f1c2ce95a55a72c7de81a7146f9864392c5ecae47487763cf2128280a4e25cbec6a192736021c5bdcf01". Yes, they're both long strings of apparently random hex digits - but they're both equally long, and give no indication as to the length or the content of what has been hashed.

This leads to several other implications - first and foremost, if a system demands a maximum length to the password (and thus implicitly forbids passphrases, which are becoming more and more common as a credential), it is highly likely that the credentials are being stored inappropriately - either in plaintext or "encrypted" in some kind of size-sensitive bucket.

Likewise, if there is any access by a customer service representative to a credential, it is being stored inappropriately - if a customer service representative can view a credential at all, this means it's been stored in a reversably encrypted fashion and is thus potentially available to everyone.

Further, if there is any way to bypass using the whole of the credential to authorize access ( as this thread here mentions, with the CSR's ability to auth with the last four characters ) this reduces the effective length of the password to the subset of the credential - someone will find a way to use the alternative access channel, and then use the vastly reduced credentialing space to bruteforce the passwords.

The use of "security questions" is another case where security is vastly reduced by a bypass mechanism. Most organizations use security questions that can be researched easily in places like Facebook - where people regularly advertise things like their favorite color, or their first car, or their favorite high school teacher. For targeted attacks, finding someone's mother's maiden name is as easy as a public records check.

Frankly, allowing CSRs any kind of access to customer account details opens up an organization to a vast landscape of social engineering attacks - something that places like GoDaddy have shown time and time again.

Much safer is to only allow access to an account via credentialing paths that are known to be under the client's exclusive control. The password - or passphrase - counts as one of these credentialing methods; a second factor - like the email account associated with the account, to which a password recovery link can be mailed - is another acceptable one. Other acceptable options include one-time passwords - a list of backup passwords can be designated ahead of time for one-time access for account recovery; the one-time passwords can then be stored offline in a safe space in the event that recovery is needed.

Given modern best practices surrounding the use of password managers by users, the likelihood of alternate recovery methods being needed at all is greatly lessened. The notion that a CSR would have to access a user's account at all is dangerously outmoded thinking that enables attackers - it puts in place attack surfaces that are frankly entirely unnecessary.

Carefully examine the practices surrounding password recovery for any organizations that you are a part of or do business with. Recovery procedures are a backdoor and should be treated as such - because attackers will treat them that way.