user registration process. This question can either be selected from a

list of canned questions or supplied by the user. Another mechanism

in use is having the user provide a  hint  during registration that will

help the user remember his password. Other mechanisms require the

user to provide several pieces of personal data such as their social

security number, home address, zip code etc. to validate their

identity. After the user has proven who they are, the recovery system

will display or e mail them a new password.

A web site is considered to have Weak Password Recovery

Validation when an attacker is able to foil the recovery mechanism

being used. This happens when the information required to validate a

user's identity for recovery is either easily guessed or can be

circumvented. Password recovery systems may be compromised

through the use of brute force attacks, inherent system weaknesses,

or easily guessed secret questions.

Example

(Weak methods of password recovery)

Information Verification

Many web sites only require the user to provide their e mail address

in combination with their home address and telephone number. This

information can be easily obtained from any number of online white

pages. As a result, the verification information is not very secret.

Further, the information can be compromised via other methods such

as Cross site Scripting and Phishing Scams.

Password Hints

A web site using hints to help remind the user of their password can

be attacked because the hint aids Brute Force attacks. A user may

have fairly good password of  122277King  with a corresponding

password hint of  bday+fav author . An attacker can glean from this

hint that the user's password is a combination of the users birthday

and the user's favorite author. This helps narrowing the dictionary

Brute Force attack against the password significantly.

13

Copyright 2004, Web Application Security Consortium. All rights reserved.