Description

The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

Related Weaknesses

CWE-287
CWE-287

Consequences

Access Control: Gain Privileges or Assume Identity

An attacker could gain unauthorized access to the system by retrieving legitimate user’s authentication credentials.

Availability: DoS: Resource Consumption (Other)

An attacker could deny service to legitimate system users by launching a brute force attack on the password recovery mechanism using user ids of legitimate users.

Integrity, Other: Other

The system’s security functionality is turned against the system by the attacker.

Potential Mitigations

Phase: Architecture and Design

Description: 

Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.

Phase: Architecture and Design

Description: 

Do not use standard weak security questions and use several security questions.

Phase: Architecture and Design

Description: 

Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.

Phase: Architecture and Design

Description: 

Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.

Phase: Architecture and Design

Description: 

Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.

Phase: Architecture and Design

Description: 

Assign a new temporary password rather than revealing the original password.

CVE References