Password Reminders Considered Harmful
Posted at 00:55 on 15 November 2007
How does your website handle users who have forgotten their password?
Chances are, you ask for their e-mail address, look them up, extract their password from the database, and e-mail it to them. Nice and simple, and convenient for the end user, and easy to program.
Unfortunately, it is seriously and dangerously flawed.
Almost everyone re-uses login details across multiple web sites. It simply is not realistic to expect them to do otherwise. As a result, if an attacker manages to compromise your user database, they will be able to impersonate your users on potentially thousands of websites, including some that store their credit card details.
Never think you are immune to this. It happened to Reddit, a popular user-generated news site similar to Digg, and it can happen to you. It is very difficult to be 100% sure that your database will never fall into the wrong hands: unless you have enterprise-level security staff, infrastructure, procedures and budget, every single person involved with your data will be a weak link in the chain, from the developers to the DBAs to the dodgy geezer who comes in as a contractor to do the building's networking. Do you know where all the copies of your data are -- even the partial, out of date ones that your developers use for testing? Are you sure there aren't any hanging around on backup CDs, USB key disks, laptops, or old PCs that you are throwing out?
No, you should never store your users' passwords directly in a database. Instead, you must use a salted hash: a one-way encryption algorithm which makes it impossible -- or at the very least, computationally very expensive and impractical -- to reverse engineer them into the original password.
Unfortunately, this means that you can't send password reminders to your users. Instead, you have to send them a single-use link to a page where they can reset their passwords on confirmation of their e-mail address. Because of this, some people prefer to sacrifice security in favour of convenience here. In fact, if the comments that were left on Jeff Atwood's blog when he wrote about this subject are anything to go by, sometimes this design decision is imposed on developers, against their recommendations, by their managers.
I think that Mats Helander comes up with the best response to this, when he says that it should be illegal to store passwords in a database in plain text:
Many comments on Jeff [Atwood]’s blog lamented the fact that sometimes your boss will decide for you that passwords should be stored in plaintext (or two-way encrypted using a secret key, which the hacker will of course be able to obtain as readily as your password list, meaning it’s as good as plaintext). One often suggested reason would be a requirement that the system must be able to mail back a user’s forgotten password.
In my opinion, this is one of the very rare cases where I think the law should get involved, protecting the developer from having to compromise my security in order to keep his job. The developer should be able to say “No boss, that would be against the law”.
I couldn't agree more. Really, the extra complexity introduced by the "reset password" option is very minor, and given the potential consequences of losing your data to an attacker, seriously compromising my security in favour of convenience in this way is inexcusably reckless, especially in a day and age when identity theft is a serious and growing problem.