General web security question: "I forgot my password"

[Ram Rachum]

Hey guys,

I have a general web security question, unrelated to Python.

All self-respecting websites have a "I forgot my password" feature. You fill in your email, and get sent a reset link that lets you set your password to whatever you want.

I remember seeing a few websites that instead of sending you such a link, just emailed you your original password.

I remember that when I saw it, I was angry, thinking "how dare you send my password in email in plain text?! You're supposed to send a reset link, not my password!"

But then I thought about it again... How does it help to use a reset link? I got the impression that email is not very secure. Can't a hacker intercept the email, see your password reset link, and then use that to reset your password to whatever he likes?

Ram.

[Arik Baratz]

On Fri, Jan 20, 2012 at 2:09 PM, Ram Rachum <r...@rachum.com> wrote:

But then I thought about it again... How does it help to use a reset link? I got the impression that email is not very secure. Can't a hacker intercept the email, see your password reset link, and then use that to reset your password to whatever he likes?

It is a bit more "secure", because giving the attacker the clear-text password will enable the attacker to reuse this password on other accounts you may have and compromise them. Giving you a new, random password or a link to reset the password doesn't risk revealing the password to the attacker.

But wait, there's another security aspect of sending the original password: If they send you the clear-text password - they must STORE your clear-text password. That makes their password database much more sensitive - if it's compromises the clear-text password is revealed (and can be abused in the same way) where as if they only store hashes and your password is un-brute-force-able you should still be somewhat safe.

-- Arik

[Ram Rachum]

Agreed on both these points.

But still, "sending password reset link by email" is pretty lame security, isn't it?  How come intercepting these emails isn't a goldmine for hackers?

[Uriel Katz]

To intercept mails you must be somewhere along the route it goes,meaning you hacked the mail server,isp or the user network(or one of the computers in that route).
Now it sounds a bit more complex :)

--
You received this message because you are subscribed to the Google Groups "PyWeb-IL" group.
To post to this group, send email to pywe...@googlegroups.com.
To unsubscribe from this group, send email to pyweb-il+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pyweb-il?hl=en.

[Ram Rachum]

So, there could be a dozen computers between point A and point B, right? And a hacker may tap into the cable between any 2 computers on the chain, and pick up the unencrypted communication, no?

[Arik Baratz]

On Fri, Jan 20, 2012 at 2:39 PM, Ram Rachum <r...@rachum.com> wrote:

So, there could be a dozen computers between point A and point B, right? And a hacker may tap into the cable between any 2 computers on the chain, and pick up the unencrypted communication, no?

Correct. Encrypt your stuff and start using 2 factor auth whenever available, ESPECIALLY for your email. I don't know if webfaction give you this kind of option. Many sites these days allow you to login with your Google credentials and you can use 2FA with Google.

Some sites try to mitigate these risks by using """security""" questions. Note that security questions are basically an additional password for your account - a password that sites try to get you to select using information that can be found about you. It's one of the worst inventions in the security world and should be eliminated altogether. Never give true information about yourself in security questions - I use random strings where possible or answers about someone else where not.

-- Arik

[Ram Rachum]

What do you mean, "encrypt your stuff" in this context? I use 2FA on Google, but how can I encrypt email? I mean, I'm sure there are programs to do that, but I couldn't really (a) make the person who sends me email to send them encrypted or (b) ensure that the person I'm sending to has this program. No?

--

[Arik Baratz]

On Fri, Jan 20, 2012 at 2:50 PM, Ram Rachum <r...@rachum.com> wrote:

What do you mean, "encrypt your stuff" in this context? I use 2FA on Google, but how can I encrypt email? I mean, I'm sure there are programs to do that, but I couldn't really (a) make the person who sends me email to send them encrypted or (b) ensure that the person I'm sending to has this program. No?

I wasn't very accurate; sorry. Encrypt all your traffic whenever possible. When you have a service provided by a 3rd party that you can't control - it's not always possible, but if you are writing a web application try to send your password mail  encrypted. Many mail services (GMail included) will do opportunistic TLS encryption. For example, your mail server at webfaction will do it:

arikb@vps-il:~$ telnet mx7.webfaction.com 25
Trying 174.133.156.178...
Connected to mx7.webfaction.com.
Escape character is '^]'.
220 mx7.webfaction.com ESMTP Postfix
EHLO test
250-mx7.webfaction.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
arikb@vps-il:~$

If I would send you an email message from gmail, I believe it will be encrypted between google and webfaction.

-- Arik

[Ram Rachum]

Cool. Let me understand what's going on here. When my webapp sends an email, it starts an SMTP connection to my mail provider and sends the message through that. Then that mail provider opens its own connection to the recipient's email server. Then the recipient checks his email by connecting to his email provider.

Did I get this right? I'm not experienced with email infrastructure so please correct me if I'm wrong.

So we have 4 nodes and 3 connections between them.

Connection 1: Webapp -> Webapp's mail provider

Connection 2: Webapp's mail provider -> Recipient's mail provider

Connection 3: Recipient's mail provider -> Recipient

Connection 1 is secure, since we can just do `EMAIL_USE_TLS = True` in Django. Connection 3 depends on the recipient; if he uses something like GMail, which is encrypted, he's safe.

This leaves Connection 2. Is this what you were referring to you when you said that any mail between Webfaction and GMail would be encrypted?

[Arik Baratz]

On Sat, Jan 21, 2012 at 9:02 AM, Ram Rachum <r...@rachum.com> wrote:

Cool. Let me understand what's going on here. When my webapp sends an email, it starts an SMTP connection to my mail provider and sends the message through that. Then that mail provider opens its own connection to the recipient's email server. Then the recipient checks his email by connecting to his email provider.

There may be a few stages in the middle, but basically yes.
 

Did I get this right? I'm not experienced with email infrastructure so please correct me if I'm wrong.

So we have 4 nodes and 3 connections between them.

Connection 1: Webapp -> Webapp's mail provider

Connection 2: Webapp's mail provider -> Recipient's mail provider

Connection 3: Recipient's mail provider -> Recipient

Connection 1 is secure, since we can just do `EMAIL_USE_TLS = True` in Django. Connection 3 depends on the recipient; if he uses something like GMail, which is encrypted, he's safe.

Yes. The end user may be using POP3 (which does have an encrypted version - in fact gmail only allows the encrypted version) or the HTTPS interface or set up their own SMTP relay, in which case it depends on his level of expertise.
 

This leaves Connection 2. Is this what you were referring to you when you said that any mail between Webfaction and GMail would be encrypted?

It depends on several factors, but if both sides are set up to do opportunistic TLS they will negotiate a TLS connection before sending the message. As far as software is involved, both gmail and webfaction run software capable of it - it's just a configuration issue.

-- Arik

[Ram Rachum]

Cool, that's good to know!

[Ori Hoch]

some extra points to consider:

even if the smtp/pop combination is secure the fact that an email with the password is stored is a security hole by itself.

first, there is the social security concern, a user might accidently open the mail with the password when someone is watching, users could use a work mail which is monitored or might forget to log out and someone could browse their emails.

second, there is the question of whether these mails are stored in a secure manner, what happens when the server storing these mails is hacked?

regarding the security questions - i agree that its not ideal from a pure security point of view but unfortunately necessary from a usability point of view. i think that the combination of security question + single use password / activation link is a necessary evil. sites should consider asking questions based on the usage of the site like what facebook is doing - showing photos and asking which are your friends - but its also dangerous and might lock out people with bad memory..

[Arik Baratz]

On Sat, Jan 21, 2012 at 10:59 PM, Ori Hoch <o...@uumpa.com> wrote:

some extra points to consider:

even if the smtp/pop combination is secure the fact that an email with the password is stored is a security hole by itself.

Indeed.

first, there is the social security concern, a user might accidently open the mail with the password when someone is watching, users could use a work mail which is monitored or might forget to log out and someone could browse their emails.

second, there is the question of whether these mails are stored in a secure manner, what happens when the server storing these mails is hacked?

In this respect the link is better than a password - again -  because the link expires after the first use. This leaves a shorter window of opportunity for the attacker and also makes reviewing the contents of the mailbox later ineffective.

 

regarding the security questions - i agree that its not ideal from a pure security point of view but unfortunately necessary from a usability point of view. i think that the combination of security question + single use password / activation link is a necessary evil. sites should consider asking questions based on the usage of the site like what facebook is doing - showing photos and asking which are your friends - but its also dangerous and might lock out people with bad memory..

So, if I know who your friends are and can see their pictures (using another facebook account) I can get at your account? No, it opens more holes than it closes. It's too low of a barrier. I agree that from a usability perspective it's better - but the compromise is too severe for my liking. Combine that with 2FA and we have something more workable from the security perspective.

-- Arik

[Ori Hoch]

On Jan 22, 10:49 am, Arik Baratz <arik.bar...@gmail.com> wrote:
> So, if I know who your friends are and can see their pictures (using
> another facebook account) I can get at your account? No, it opens more
> holes than it closes. It's too low of a barrier. I agree that from a
> usability perspective it's better - but the compromise is too severe for my
> liking. Combine that with 2FA and we have something more workable from the
> security perspective.

ok, but what do you suggest for someone that forgot their password or
lost their authentication device (such as their mobile phone)?
they are to be locked out forever from their online services?

[Arik Baratz]

On Sun, Jan 22, 2012 at 1:12 AM, Ori Hoch <o...@uumpa.com> wrote:

ok, but what do you suggest for someone that forgot their password or
lost their authentication device (such as their mobile phone)?
they are to be locked out forever from their online services?

I think Google did it right.

When you sign up for their 2FA, they give you 3 ways to authenticate in addition to the password: Your phone (either by SMS or with an app), a piece of paper with codes (OTP) and an alternate phone by SMS, hopefully belonging to a friend. Losing both your phone and your piece of paper should be hard - but if you do you still have another option. You don't have to trust your friend with your password.

For the rest of us, there is not much of a choice... a secret question makes it far easier to get at your account. If you combine a secret question and a link to your registered email you fare far better - but not much better than simply sending a link to your account without the secret questions. All you gain from the secret question is a relative low value password which - if you gain access to the database and brute-force - can help you gain access to other accounts (even if you're smart and chose different passwords, your mother's maiden name doesn't change as often). I have turned the problem around for a while and I cannot see an angle where a security question would actually add to the security of an account.

Some providers use ONLY the security question... like Yahoo! for example... which is ridiculous. This is how Sarah Palin's account was hacked, amongst many many others... As a user of these systems I never answer the security question with real information and basically treat it as an additional password (and NOT the main account password, as the security questions are sometimes used for phone verification and hence stored in a reversible encryption / unencrypted).

Since I utilise the Google 2FA I trust my mail account to be available so all password resets go back to it and hinge on its security. I've had accounts hacked before but I managed to regain control due to this fact. And it may be redundant to mention it in this crowd - but never ever ever reuse your mail account password for anything whatsoever.

BTW I may sound like a Google fan boy now, but they did an experiment (sadly ended by now) where as you can login to a public terminal without typing your password at all or any authentication whatsoever - you go to a special URL (https://accounts.google.com/sesame), and it displays a QR code containing a terminal ID on the screen. You scan it with your phone and it points you to a Google URL where you can type your credentials... then the public terminal unlocks for you. Pretty cool. The experiment is, alas, over.

-- Arik

[Ram Rachum]

Reviving this old topic!

Arik: When you get an email message, how do you check whether the mail servers used TLS while delivering it?

[Arik Baratz]

On Thu, May 17, 2012 at 1:22 AM, Ram Rachum <r...@rachum.com> wrote:

Reviving this old topic!

Arik: When you get an email message, how do you check whether the mail servers used TLS while delivering it?

Most mail servers leave a hint in the "Received:" header that they add to the message. Here's an example:

Received: from mail-qw0-f52.google.com (mail-qw0-f52.google.com [209.85.216.52])
        by gmr-mx.google.com with ESMTPS id dc12si2771039qcb.3.2012.01.20.14.36.20
        (version=TLSv1/SSLv3 cipher=OTHER);
        Fri, 20 Jan 2012 14:36:20 -0800 (PST)

It's a bit complicated because you should be looking only at Internet hosts rather than internal hosts which may relay the messages internally without TLS. There's no easy way unfortunately.

-- Arik

[Ram Rachum]

Great info, thanks Arik!

[Arik Baratz]

No problem :)

Feel free to ask more, I really like the infrastructure questions ^^

Please remember though that SMTP/TLS is transport security only - the mail is still in clear-text in the destination mail store and in all of the queues of the intermediary MTAs. It does reduce your vulnerability surface a.k.a. attack surface.

-- Arik