August 9, 2017

I would like to choose a password myself if you don’t mind?

I would like to choose a password myself if you don’t mind?

Luckily it’s becoming less prevalent, but every once in a while when you do a password reset, you receive your password in plain text. When I recently privately reported this to a particular company, they told me it was already on the planning to fix this. And indeed a few months later I received an email that they ‘fixed’ the issue. They now no longer mail your existing password in plain text, but generate a new one and send that one in plain text.

And they’re not the only one. One of many other websites doing this is Vueling.

Let me give some reasons why this is still no good idea:

First of all it doesn’t give a lot of confidence that passwords are stored in a cryptographically strong way. At best a password is generated, send via email and then hashed. But it might as well still be stored plain text in the database.

Even if passwords are hashed there are still several flaws. The password is still in plain text in your inbox and transported insecurely (see this thread on security stackexchange). When the reset is performed a new password is immediately stored in the database, often without the need to change it at first login. The persistent nature of this particular implementation causes a Denial-of-Service risk. Someone with malicious intents can easily — albeit temporarily — lock out a user of his account by performing a password reset. Of course the user can request a new password and login again, but in any case this is really poor user experience.

The right way to implement a password reset is by putting the responsibility of setting a new password where it belongs, on the user. This is accomplished by mailing a reset URL. This URL contains a token — which must be a expiring nonce — that can be checked server side to confirm that the person attempting to reset the password is the owner of the mail address.