Weak Password Recovery Validation is when a web site permits an
attacker to illegally obtain, change or recover another user's
password. Conventional web site authentication methods require
users to select and remember a password or passphrase. The user
should be the only person that knows the password and it must be
remembered precisely. As time passes, a user's ability to remember
a password fades. The matter is further complicated when the
average user visits 20 sites requiring them to supply a password.
(RSA Survey: http://news.bbc.co.uk/1/hi/technology/3639679.stm)
Thus, Password Recovery is an important part in servicing online
Examples of automated password recovery processes include
requiring the user to answer a "secret question" defined as part of the
user registration process. This question can either be selected from a
list of canned questions or supplied by the user. Another mechanism
in use is having the user provide a "hint" during registration that will
help the user remember his password. Other mechanisms require the
user to provide several pieces of personal data such as their social
security number, home address, zip code etc. to validate their
identity. After the user has proven who they are, the recovery system
will display or e-mail them a new password.
A web site is considered to have Weak Password Recovery
Validation when an attacker is able to foil the recovery mechanism
being used. This happens when the information required to validate a
user's identity for recovery is either easily guessed or can be
circumvented. Password recovery systems may be compromised
through the use of brute force attacks, inherent system weaknesses,
or easily guessed secret questions.
(Weak methods of password recovery)
Many web sites only require the user to provide their e-mail address
in combination with their home address and telephone number. This
information can be easily obtained from any number of online white
pages. As a result, the verification information is not very secret.
Further, the information can be compromised via other methods such
as Cross-site Scripting and Phishing Scams.
A web site using hints to help remind the user of their password can
be attacked because the hint aids Brute Force attacks. A user may
have fairly good password of "122277King" with a corresponding
password hint of "bday+fav author". An attacker can glean from this
hint that the user's password is a combination of the users birthday
and the user's favorite author. This helps narrowing the dictionary
Brute Force attack against the password significantly.
Secret Question and Answer
A user's password could be "Richmond" with a secret question of
"Where were you born". An attacker could then limit a secret answer
Brute Force attack to city names. Furthermore, if the attacker knows
a little about the target user, learning their birthplace is also an easy
"Protecting Secret Keys with Personal Entropy", By Carl Ellison, C. Hall, R. Milbert, and B. Schneier
"Emergency Key Recovery without Third Parties", Carl Ellison
To receive your Free Application
Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $99.00 for a second Weak Password Recovery Validation attack vulnerability test.