You, or a random dude on teh interwebz, forgot your password...



  • There's a fairly popular local site to find countrywide transit options. You can find the cheapest/fastest/possible routes from A to B, and buy tickets in some cases. You can have an account with them so, for example, you can actually keep track of your tickets.

    If you forget your password, you can click a link, enter your email, and get a new password emailed to you, right away.

    I'm just wondering what kind of a genius came up with a system like that and what could ever possibly go wrong... :rolleyes:



  • @wft said:

    I'm just wondering what kind of a genius came up with a system like that and what could ever possibly go wrong... :rolleyes:

    That is pretty standard. You don't know which account they are asking about unless they give you the login. Or are you saying that the email address isn't the login/part of the account they can use to look it up?



  • @locallunatic said:

    @wft said:
    I'm just wondering what kind of a genius came up with a system like that and what could ever possibly go wrong... :rolleyes:

    That is pretty standard. You don't know which account they are asking about unless they give you the login. Or are you saying that the email address isn't the login/part of the account they can use to look it up?


    Last time I checked, the standard was to email a link so that you can go in and change your password. Or, you get emailed a temporary password (that expires after, say, 1 day) that lets you go in and reset your password to something new.

    Emailing your actually password is a giant WTF as it means they're storing your password rather than a (salted) password hash.



  • @powerlord said:

    Or, you get emailed a temporary password (that expires after, say, 1 day) that lets you go in and reset your password to something new.

    Emailing your actually password is a giant WTF as it means they're storing your password rather than a (salted) password hash.

    Uh, who said they sent your current one?

    @wft said:

    If you forget your password, you can click a link, enter your email, and get a new password emailed to you, right away.

    I was pointing out that asking for someone's email address to know what account to do the temp password to (and which account it is for) is normal.



  • @powerlord said:

    Emailing your actually password is a giant WTF as it means they're storing your password rather than a (salted) password hash.

    It says "a new password".

    I'm not sure exactly what the WTF is here. Is it that you don't get prompted to enter a new password the first time you login with the password they emailed you?



  • @Dragnslcr said:

    @powerlord said:
    Emailing your actually password is a giant WTF as it means they're storing your password rather than a (salted) password hash.

    It says "a new password".

    I'm not sure exactly what the WTF is here. Is it that you don't get prompted to enter a new password the first time you login with the password they emailed you?


    Whoops, for some reason I read that as "your password" instead of "a new password."

    Maybe I should go home early since I clearly can't read / think today.



  • My reading of it was that, if you know an account name, you can get access to it using an arbitrary email address. So if I know that there's an account named Dragnslcr, all I need to do is say "I forgot my password", and have a new password / password reset link / whatever sent to foobar@mailinator.com, or any other email address of my choosing, thus allowing me to hijack your account trivially.



  • Well, if an attacker has access to your e-mail account, he can ride that into your transit account using this password-reset system.

    In theory, this might not even require knowledge of your password, since e-mail is not typically encrypted. Someone at the ISP with access to the database could read it, as could someone with a packet-sniffer monitoring the link that was used to send the message. But in practice, this would probably happen as a result of a bad guy getting your e-mail password or hacking the mail server.

    To be fair, quite a lot of systems have this same problem. And it can lead to [URL=http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/]disastrous consequences[/URL].

    There are a variety of possible solutions. A popular one is to use 2-factor authentication via a cell phone. For instance, you may give them your cell phone number as a part of account creation. Whenever you log on from an untrusted computer, after you provide the password, it will send you a text message (or phone call) with a one-time passcode that must also be entered. This way, in addition to having a valid password, you must also have physical posession of a phone that is using the registered number. (Typically, there's also a checkbox you can set to mark the computer as trusted so you don't need to do this every time you log-in.)

    There are many other approaches as well, which are often used by security-conscious administrators.



  • @tufty said:

    My reading of it was that, if you know an account name, you can get access to it using an arbitrary email address. So if I know that there's an account named Dragnslcr, all I need to do is say "I forgot my password", and have a new password / password reset link / whatever sent to foobar@mailinator.com, or any other email address of my choosing, thus allowing me to hijack your account trivially.

    I guess that's possible. I assumed it was like any other site, where you either enter a username and a password is sent to the email address associated with that username, or you enter an email address and a password is sent for the login associated with that email address.



  • ... and that is a WTF because...?


  • FoxDev

    @blakeyrat said:

    ... and that is a WTF because...?

    i'm guessing because it sends you the new password rather than a password reset link, which means even if you weren't the one who requested the reset you still have to deal with it because your password was just changed on you.



  • There's missing information here. If it's a temporary password, then... well that's like 80% of sites do, isn't it? And what's the difference between a temporary password and a link to reset your password, it's six of one, half-dozen of the other?

    Anyway I see I'm not the only one confused.

    BTW why are you talking to me all of a sudden? WTF. Did something happen 3 days ago I'm not privy to? Like you got replaced by a pod person?


  • FoxDev

    @blakeyrat said:

    And what's the difference between a temporary password and a link to reset your password, it's six of one, half-dozen of the other?

    well in one you need to use the new password to log in, and in the other your old password still works untill you use the password reset link.

    @blakeyrat said:

    BTW why are you talking to me all of a sudden? WTF.
    you'd prefer i ignored your very existance?

    i can do that if you really want to, i do have the technology, i just don't use it because that's not very nice.

    @blakeyrat said:

    . Did something happen 3 days ago I'm not privy to?
    many things, i am sure, but any that are relevant to this discussion.... none that i am aware of.

    @blakeyrat said:

    Like you got replaced by a pod person?
    well yes, a new pod person takes my place every 4 to 8 hours. that's how i stay so fresh and likeable!


  • Notification Spam Recipient

    @accalia said:

    new pod person takes my place every 4 to 8 hours.
    :giggity:?


    Filed under: One of me is apparently really turned on to this idea...



  • And all of you really need to get laid today.

    Possibly with each other.


  • Notification Spam Recipient

    I know... 😿 It's just not fun laying down with myself though.



  • @accalia said:

    well in one you need to use the new password to log in, and in the other your old password still works untill you use the password reset link.

    You're assuming they only store one password per account.
    Some applications have more than one password associated with an account at one time and tack an expiration date onto each password. It's usually very simple to change those systems to support multiple active passwords and just create passwords with very short expiration dates.



  • @blakeyrat said:

    and that is a WTF because...?

    I'm assuming that @wft is assuming that the site in question doesn't check that the email address you enter belongs to the user account you're trying to retrieve a password for.


  • :belt_onion:

    @Dragnslcr said:

    I'm not sure exactly what the WTF is here. Is it that you don't get prompted to enter a new password the first time you login with the password they emailed you?

    I'd think the WTF is that you can reset any account's password to a random one. Not a vulnerability, but more of a DoS threat because you could just annoy all the users by resetting their passwords. That's why there's usually a confirmation step before they actually change the password...

    Of course,

    @flabdablet said:

    I'm assuming that @wft is assuming that the site in question doesn't check that the email address you enter belongs to the user account you're trying to retrieve a password for.

    would be an extreme case of WTF and would deserve... investigation...



  • @David_C said:

    if an attacker has access to your e-mail account

    then you're already screwed and any account signed up with that email address is also under the attacker's control.


  • Notification Spam Recipient

    Yeah, fun times with Yahoo... Fun times....



  • @flabdablet said:

    I'm assuming that @wft is assuming that the site in question doesn't check that the email address you enter belongs to the user account you're trying to retrieve a password for.

    That may not be your email address anymore. Providers change and mailboxes close. That's why "security questions."



  • No, not a temporary password. You just log in and do your stuff.

    This means if I have a long enough list of email addresses, I could annoy lots of people very easily.



  • @David_C said:

    Well, if an attacker has access to your e-mail account, he can ride that into your transit account using this password-reset system.

    (...)

    To be fair, quite a lot of systems have this same problem.

    As does one of Blakey's favorite objects of hate: Steam.

    They keep a seperate login and screen name, and actively warn users in their FAQ that they're supposed to keep the login name private, because it is security sensitive, but then:

    1. They fuck that rule up themselves by sending all their promotional e-mail, nofitications and purchase receipts using the god-damned login name you're supposed to keep private, and
    2. It doesn't matter anyway, because you can reclaim a 'lost' login name using only the account's registered e-mail address. So it's a quick two-step retrieve login -> reset password and your Steam account is still hosed.

    Well, atleast they added phone number two-factor authentication...



  • @ben_lubar said:

    @David_C said:
    if an attacker has access to your e-mail account

    then you're already screwed and any account signed up with that email address is also under the attacker's control.

    If he has your log-in credentials, definitely yes. If he can access your e-mail through other means (e.g. snooping on SMTP traffic between mail servers) then maybe not.



  • @ben_lubar said:

    @David_C said:
    if an attacker has access to your e-mail account

    then you're already screwed and any account signed up with that email address is also under the attacker's control.

    Not if they don't know what the actual account name is though, which is why a separation between login name and screen name is a good thing.



  • @wft said:

    you can click a link, enter your email, and get a new password emailed to you

    I think it's this part. Based on the wording, it's not using the email address associated with the account but the email address you are entering right then and there on the "forgot password" page.



  • Exactly.

    I click "Forgot password?", enter some poor dude's email, and his password gets reset right away, without bothering to check if its him or someone other even requesting to reset the password.



  • Oh, I thought you meant you could have someone else's now-reset password sent to your email address.



  • @David_C said:

    A popular one is to use 2-factor authentication via a cell phone.

    @Ragnax said:

    Well, atleast they added phone number two-factor authentication...

    I don't know why people think this is a good idea given that many people get their e-mail on their smartphones. Now if I've stolen you phone and happen to know your dog's birthday or amputated your index finger when I mugged you for the phone, I've got everything I need to reset all your accounts...



  • @smallshellscript said:

    Now if I've stolen you phone and happen to know your dog's birthday or amputated your index finger when I mugged you for the phone, I've got everything I need to reset all your accounts...

    Well, if you're at the "amputating an index finger" stage, it's probably more sensible to just break out a rubber hose.



  • @Maciejasjmj said:

    Well, if you're at the "amputating an index finger" stage, it's probably more sensible to just break out a rubber hose.

    Sure but that doesn't lend itself to a quick street transaction. Show the knife to get them to give up wallet and phone. Elbow to the teeth to stun 'em and a quick snip with a cigar cutter and you're on your way.



  • @smallshellscript said:

    I don't know why people think this is a good idea given that many people get their e-mail on their smartphones.

    Yup. Which is why I keep a dumb-phone on a pre-paid plan around for two-factor stuff. Nice and clean of potential malware since there's no internet connection on the damn thing, never leaves the house and no registered e-mail account that could link the phone to any online accounts.


  • Notification Spam Recipient

    @Maciejasjmj said:

    rubber hose.

    :giggity:?



  • You could maybe consider explaining what he WTF is in the very first post.


  • Discourse touched me in a no-no place

    @Tsaukpaetra said:

    :giggity:?

    You have unusual preferences in excitement, I see…


  • Notification Spam Recipient

    @dkf said:

    I see…

    I do? I wouldn't know, the :giggity:Engine doesn't necessarily explain exactly what it's giggitizing about...


  • :belt_onion:

    Getting your password randomly reset without authentication?



  • The opening post is vague as hell. The wtf is about as clear as mud.



  • @smallshellscript said:

    @David_C said:
    A popular one is to use 2-factor authentication via a cell phone.

    I don't know why people think this is a good idea given that many people get their e-mail on their smartphones. Now if I've stolen you phone and happen to know your dog's birthday or amputated your index finger when I mugged you for the phone, I've got everything I need to reset all your accounts...

    Seriously? Are you really worried that someone will steal your phone and then have enough information to figure to game the password-reset feature of a social media site? I think if you're concerned about a face-to-face attack, you should be more concerned that he'll just point a gun at your head and say "give me the password."



  • @David_C said:

    Seriously? Are you really worried that someone will steal your phone and then have enough information to figure to game the password-reset feature of a social media site?

    Not just social media. Do recall that many internet banking solutions employ phones as two-factor authentication as well. Or government services for that matter. So, while losing your index finger is probably (hopefully) hyperbole, the remainder of the post does raise valid concerns.



  • @Ragnax said:

    Not just social media. Do recall that many internet banking solutions employ phones as two-factor authentication as well. Or government services for that matter. So, while losing your index finger is probably (hopefully) hyperbole, the remainder of the post does raise valid concerns.

    And again, if someone is targeting you in person, he's just going to put a gun to your head and demand all the credentials you can remember, and then probably shoot you anyway. He's not going to steal your phone and use it to start hacking.

    People who are afraid that a password-reset script could be misused are concerned about random strangers deploying malware or intercepting traffic. They aren't going to travel to your home, break in and steal your phone in order to use the password-reset script. And if they are that desperate, then they'll just attack you in person and not bother with the password-reset in the first place.

    The last I saw, there haven't been waves of criminals murdering people for their cell phones in order to get web-access to their bank accounts. But maybe you're reading different newspapers.



  • @David_C said:

    The last I saw, there haven't been waves of criminals murdering people for their cell phones in order to get web-access to their bank accounts.

    There was a case some time back where snail-mail letters containing username and (separate) letters containing login codes for our national electronic ID system were lifted from mailboxes from several buildings housing predominantly students. Iirc they were also targeted for having their phones pick-pocketed to circumvent the two-factor authentication that could be enabled on the system by a user.

    The users, passwords and phones were used to log into all kinds of government services and fraudelently claim social support in the victims' names.

    So yes; that does happen, but as part of larger criminal operations. Not as part of muggings. (The whole idea is to lift the phone off of someone without them noticing until too late.)


  • Java Dev

    Oblig. XKCD:



  • So you're describing a massive organized crime effort targeting a specific group of people. How does this have anything to do with a password-reset script or 2FA? And if you think we all have to be worried about this, what is your solution. I assume you have something better than just declaring everything else useless.



  • @David_C said:

    I assume you have something better than just declaring everything else useless.

    Separate token generators that have no link to the internet and have no obvious connection to any one online account, leaving them useless to thieves unless there is prior knowledge of login details such as account user name, and with no need to carry them around outside your house.



  • So you would require every person to buy a hard-token from every web site he wants to access, and keep a pile of them at home, and somehow remember which one goes to which account.

    Yeah, everybody will love that system. Now let's see, was Amazon the red token or the blue one? Sorry, that was WalMart, the green one is for Visa, the purple one is for American Express....

    As much as you might like to make everybody use government/corporate security systems for all of their business, it is not practical.


  • Discourse touched me in a no-no place

    @Ragnax said:

    Separate token generators that have no link to the internet and have no obvious connection to any one online account, leaving them useless to thieves unless there is prior knowledge of login details such as account user name, and with no need to carry them around outside your house.

    This will not leave you secure from the mob with pitchforks who gather to lynch you for making their lives so downright miserable.



  • @David_C said:

    targeting

    That's where you've been going wrong. Nobody's going to single you out for this. But if they do happen to get hold of your phone, you're probably gonna be screwed, regardless. Or at least, I am; maybe you're one of those crazy paranoid hacker types who knows where to find the logout button.


Log in to reply