Many authentication systems based on entering a login and a password by a user at the beginning of a session include subsystems of password recovery.
In this case, the system should be able to authenticate users by means of methods other than password authentication.
In most cases, additional information for user authentication can be the answer to a secret question. Many systems request even more information such as the date of birth.
Password recovery subsystems have the following drawbacks:
The date of birth and other information used as the answer to a secret question can be known to a third party. For example, a user's friends can know that person's date of birth or the name of his or her dog.
Creating a password recovery subsystem decreases the security level of the authentication and authorization system.
A successful attacker can obtain full control over the account of a target user. To avoid such a situation, you could prohibit users from changing the information necessary to recover their passwords.
However, this wouldn't solve the problem. If an attacker obtains the information necessary to recover their passwords (the answer to a secret question, a birth date, etc.), the fight for control over the user's account will turn into a ping-pong game. Both the legitimate user and the attacker will be able to recover the old password or create a new one. Both people will have equal privileges, and the system won't be able to distinguish between them.
In addition, prohibition against changing this information would be inconvenient for users.
Some systems send the password or the information sufficient for its recovery to a user's e-mail address if the user requests it and provides information sufficient for authentication (but not for authorization). Drawbacks of such systems are the following:
If an attacker gains access to a user's e-mail (e.g., if he or she uses the user's computer by chance), the attacker can gain control over the user's account.
If the attacker gains control over the user's e-mail account in another way, he or she will be able to control the user's account in a system that sends password recovery information to the user's e-mail address.
Some free e-mail systems cancel registration if the owner of an e-mail address doesn't use it for long time. If a user tells the password recovery system to send password recovery information to such an address, the attacker can eventually register with the same address in the same e-mail system. This will allow him or her to gain control over that user's account.
This system decreases the security level of the authentication system.
To prevent an attacker who has access to the e-mail address of a valid user from obtaining control over this user's account, you could prohibit the user from changing the e-mail address used for password recovery.
However, this wouldn't be a good idea. The system protection level would decrease if an attacker gains control over the e-mail address. The attacker, not the valid user, would then be able to recover the password in the system.
In addition, prohibition against changing e-mail addresses would be inconvenient for users.
User identification is not the same as authentication. Unlike authentication, identification is just naming a user without proof that a particular person is who he or she claims to be. To send this person the requested password, identification is required because authorization is impossible when the password is lost.
The following information is enough for identification:
Login. The information necessary for password recovery is sent to the e-mail address specified when the user registered with this login.
E-mail address. The system searches in a database for the users who specified this as an address, to which password recovery information should be sent. In most cases, it is necessary to send password recovery information to all such addresses. This means that the user has several accounts in the system.
Some systems suggest that their users choose an identification method.
In some cases, before sending password recovery information, the system requires the user to enter some additional information, such as the date of birth.
All password recovery systems can be divided into two groups: systems that return the password unencrypted and systems that generate a new password rather than return the old one.
The systems returning unencrypted passwords have the following disadvantages:
If a user always uses the same password, and an attacker finds out this password, the attacker will be able to log into other systems.
The passwords are stored on the server in an unencrypted form, or a revertible encryption algorithm is used. In the latter case, the information necessary for decryption is stored on the server, too.
The systems that generate new passwords are free from these disadvantages.
Systems of these two types can be combined. For example, a system can ask the user a secret question or send the password to the user's e-mail address.
To prevent an attacker who can obtain a short period of access to a user's account from using this account, the system should meet the following requirements:
The current password is never displayed.
The answer to the secret question is never displayed.
To change the password, the user has to enter the old one into a special text box. The change will take place only if the entered password is valid.
To change the answer to the secret question (if this change isn't prohibited ), the user has to enter the password. The change will take place only if the entered password is valid.
To change the e-mail address used for password recovery (if this change isn't prohibited), the user has to enter the password. The change will take place only if the entered password is valid.
To change any information that could affect password recovery, it is necessary to enter the current user's password.