ebmgh.com

Good information on how to design a website password recovery feature, by Dave Ferguson at a company called FishNet Security. Mr. Ferguson signs his name as CISSP, which apparently means he’s a “Certified Information Systems Security Professional”.

Best Practices for Your “Forgot Password” Feature (PDF, 260 K)

For a web application, authentication is typically done via username and password inputs from the user. The authentication process often receives plenty of attention during the design and development phases, and much has been written about how to secure the process. Enforce strong user passwords. Display a generic error message for a failed login. Lock or disable the account after a certain number of failed login attempts. Store passwords in the database as one-way, salted hash values. All of these carefully thought-out security measures often go out the window when a user forgets his password.

As a user the expectation is that an application will assist you when you’ve forgotten your password. But there’s something fundamentally insecure about a forgot password feature. Essentially, the application is providing a second, entirely separate procedure to authenticate you. It’s this secondary method of authentication that often gets short shrift by designers and developers. Security weaknesses creep in.