Hacker News new | ask | show | jobs
by ninja_to_be 3974 days ago
As part of one of my academic projects, I did a bit of research on password reset functionality of about a dozen major websites. It was interesting to note that each and every website had implemented it in a different manner. So much difference in the process and the lack of a standard procedure was shocking, though understandable. It was interesting to brainstorm and discuss about the rationale behind each of the password reset process and the User Experience decisions involved.

I also noticed a frighteningly large number of small websites that get 'password reset' absolutely wrong, compromising their users' accounts. It is something that is very difficult to get right, unless thought through completely before implementation. Whenever I signup for a new user account on a fairly new website, I try to use a dummy throwaway password on the first attempt and then try the password reset option to see if the website is actually serious about security. It is like a litmus test for me to decide about continuing to use the website and trusting them with more of my data.
1 comments
fr0styMatt2 3974 days ago
Can you give some examples of what you'd consider red flags in a site's password reset procedure? I'd be really curious; this is an area that I've thought about as a "necessary but horrible-for-security thing".
link
ninja_to_be 3974 days ago
A few examples of unacceptable practices followed by certain websites include:

- Sending your password to your email in plain text. - Allowing user to set new password just by answering simple personal details like DOB, Zip code etc which might be known to a number of your friends and family members.

Often it is simple enough to implement a password reset functionality with a reset-link that contains a GUID which expires after a certain period of time. It could be more secure, but is a tradeoff between providing greater security and a longer reset process.

One of the major risks of websites with very naive reset procedures is that many people use the same password with multiple websites. So if a user's password gets compromised on a site, then the attacker can easily try those passwords with other services and gain easy access to user data.

link
LunaSea 3974 days ago
The real issue with getting your plain text password in an email is that it means the site is not hashing passwords at all.
link
otherusername2 3974 days ago
Only if the send you your old password. If they reset your password, they can send you the plaintext first, then hash the password and store it in the database.
link
jlarocco 3974 days ago
No. The problem is that email isn't encrypted on the backend. Sending a plain text password means every server between the website's SMTP server and your email provider's SMTP server can see the password.
link
NeutronBoy 3974 days ago
As opposed to what? Every server between the website's SMTP server and your email provider's SMTP server can see the password reset link?
link
shkkmo 3974 days ago
Not quite true. A properly configured email server sending email to another properly configured email server should be using TLS to send the message:

http://superuser.com/questions/260002/why-are-email-transfer...

That still doesn't mean you should count on emails being encrypted between servers.

link