Passwords and E-mail—A Dangerous Combination

Problem

One huge security flaw in the implementation of password-based security on websites is the fact that virtually every website allows you to reset your password via e-mail. Typically, a website will have you type the e-mail address associated with your account to identify yourself, then send a message to that address with a new password, or a link to set a new password yourself. What makes this even more dangerous is the fact that most people consider this to be very secure, since it seems like no one can get in to your e-mail if they don't have your e-mail password.

The truth is, e-mail is and always has been an insecure communications medium. A password reset message generally may travel through several different servers and networks, unencrypted, before landing in your mailbox. And, your IT system manager may be able to easily read all of your e-mails. Of course, virtually all IT system managers would never do this, but keep in mind it is possible. And, if your company implements some of the bad password practices listed in this article, then anyone in your company may be able to log in to your e-mail account whenever they want. In such a situation, anyone in your company can easily change your password for every website where you used your company e-mail address for your account, and log in without your knowledge.

Strangers intercepting your e-mail in transit is possible but less likely. But, given the ubiquity of systems using e-mail for password security, we shouldn't be surprised if criminal enterprises decide someday to increase their focus on this vulnerability for exploitation.

Solutions

General

So, what should be done? The simple answer is that passwords should only be revealed or reset when there an additional method to confirm that the requester is the owner of the account, and not an impostor. You're already familiar with these methods, which are deployed by all well-designed websites. These include:

  1. Validation code sent to your cell phone via SMS, or to an alternate e-mail address, which is unlikely to have been compromised at the same time as your main e-mail address; you then have to enter the code on the website before you can reset your password.
  2. Secret questions about your personal life that only you would know; usually you will have given the answer when you first set up your account, but financial institutions sometimes pull information from your credit profile and ask you about your past residence addresses, employers, or businesses you've owned.

With these methods, the password reset e-mail becomes a benign communications conduit for the password reset process, and is not used as the sole validation of your identity.

Third-Party Websites

You can tell how dedicated a website is to the security of its users by how much effort they place into ensuring your identity before allowing a password reset. Ideally, if e-mail is to be used, the password reset e-mail will have a link that takes you to a page on their website that will do the additional verification described above before letting you reset your password.

So, the first important takeaway from this article is this: If you keep sensitive data on a website that enables password resets using only e-mail for the user identity, you need to assess the potential impact of your account being taken over on this site, in light of the increased likelihood of such a breach. At the same time, you should contact the administrators of the site and encourage them to perform a top-to-bottom review of their security practices, and implement improvements necessary to secure their site and your data in light of modern technology and threats. As always, the owners of that site are welcome to contact J.D. Fox Micro for assistance from a certified security expert.

Your Company's Assets

The concepts in this article also apply to passwords on your business network, not just third-party websites. Your company can and should implement identity validation methods appropriate for the level of security you need. And that usually means not allowing password resets only through e-mail. If you search the news, you can find many instances where a criminal was able to get passwords to sensitive internal business applications simply by e-mailing the victim company's IT support provider and asking to reset the password. Proper validation can range from requiring in-person presentation to the IT system manager (most secure), to something like phone validation, which would be just as secure for a small business where the IT system manager has all the users' phone numbers and can recognize their voices.

If you run a web site with password-protected login accounts, then, obviously, you should check to see whether it allows passwords to be reset only through e-mail. If you find that your developers did implement this, then this indicates a deficiency in integrating security into your application development process, which is critical in our modern era. To address this, you should to do a top-to-bottom review of your security model and implementation, because no doubt there are other unaddressed vulnerabilities.

If your company is subject by law or contract to implement certain security practices (such as for businesses in the financial industry, or any business that processes and/or stores customer credit cards), you most probably will be required to implement these practices on your internal systems, and the same thinking applies as described in the previous paragraph.

For assistance from a certified security expert to review your company's website, web applications, or internal system's security posture, contact J.D. Fox Micro.