Wednesday, 6 June 2012

How to NOT implement password reminder function

A quick post about my recent discovery. I created an account on a some website and wanted to get my password reminded. There was only one step - provide e-mail address used to register.

My first suprise was that the password was changed immediately without any confirmation. That means if i only knew a person e-mail i could change his password !

Second surprise was the pattern that emerged when i generated few passwords (for different accounts with different passwords):
XS?dh*96
NJ*fz!45
KX$mm!73
ZE*wx*98
PJ*fg?93
ZC?gb?4
JU!ig*80
YZ*vz@95
DD@fy@70
MX*em%72
DM%cn%17
[2 upper letters][special char][2 lower letters][special char][number max 2 digit].

Can you spot the problem ?
  • I am able to change someone's password knowing only his e-mail,
  • I know the generation pattern for this new password.
Based on those rules we are able to generate a dictionary file, and try to crack the password. However in this case it is not critical beacuse this is a webapplication. We have:
26 x 26 x 6 x 26 x 26 x 100 = 274185600 possible combinations, so the dictionary file would be around 2.2 GB size. Yep, it seems like a lot of time, but in case of flaws in the randomness of the string generation we could probally shorten the amount of time needed to crack it - i need to examine it deeper. To sum up, it does not seem to be a threat (for now) but those patterns definitely should have not appear in that function.

No comments:

Post a comment