The boundary between usability and security
Password recovery is certainly a useful feature - there is no way to remember that I used to register for a site that I visited once three years ago.
The password recovery function is usually designed so as to prevent an attacker from gaining access to your information and information about you.
Nevertheless, some services about you, many services easily distribute it inside the function "password recovery". I even assume that this information can be very useful for all sorts of people unfriendly to you.
')
If you have not guessed it, on the screenshot is the screen of one of the well-known social services, who helpfully sent me a message that a letter was not sent to the specified address, because the user with the specified address was not registered.
What gives us information about whether a user is registered or not?
1. Information about the user . We can thus create a tool to check on which resources a user is registered, which is useful to facilitate the collection of personal information about this person.
2. We can check the database of emails, who is registered on certain mass services , and then, on the basis of the information received, request something from these users by mail.
You will say: “nonsense, you can not filter the email database.” I will answer, not at all. It's one thing if you receive a letter with the text, send an SMS to the number XXXX so that your account in / on ... is not blocked. And another thing is when in one letter there will be a list of 5 social networks in which you are registered. Five facts about you convincing!
How to design a password recovery?
1. To ask both mail and login at the same time is sadism! Many people use not only different passwords, but also different logins / nicknames.
2. Do not display messages about whether the message was sent or not - it is unfriendly to the user, because he could simply be sealed up, and the promised letter with instructions for resetting the password would not come to him.
3. You can ask the user to recognize the pictures or somehow protect themselves from bots, but this does not solve the whole problem of disclosing personal information, only the problem of mass disclosure of personal information. It can also annoy the user.
4. Secret questions. They do not always have a definite answer, even if the user 3 years ago thought otherwise.
Variations of users.
VtD
5. Request for password recovery via e-mail: “To recover a password, send an e-mail with the PassRestore topic to lostpassword@site.com from the email address you specified during registration”
Psih
6. Binding to a mobile phone. The safest option is to forget the password, send an SMS and get a password in reply. It is not possible to check whether (on a specific Internet resource) a person with such a mobile phone number, because such a user search is not provided.
What else can you do?
The best completed recommendations on password recovery design I will include here as a solution, obviously, with an indication of the user who brought this decision.
What other scams seem real to you based on this “password recovery” feature?
The password recovery function is usually designed so as to prevent an attacker from gaining access to your information and information about you.
Nevertheless, some services about you, many services easily distribute it inside the function "password recovery". I even assume that this information can be very useful for all sorts of people unfriendly to you.
')
If you have not guessed it, on the screenshot is the screen of one of the well-known social services, who helpfully sent me a message that a letter was not sent to the specified address, because the user with the specified address was not registered.
What gives us information about whether a user is registered or not?
1. Information about the user . We can thus create a tool to check on which resources a user is registered, which is useful to facilitate the collection of personal information about this person.
2. We can check the database of emails, who is registered on certain mass services , and then, on the basis of the information received, request something from these users by mail.
You will say: “nonsense, you can not filter the email database.” I will answer, not at all. It's one thing if you receive a letter with the text, send an SMS to the number XXXX so that your account in / on ... is not blocked. And another thing is when in one letter there will be a list of 5 social networks in which you are registered. Five facts about you convincing!
How to design a password recovery?
1. To ask both mail and login at the same time is sadism! Many people use not only different passwords, but also different logins / nicknames.
2. Do not display messages about whether the message was sent or not - it is unfriendly to the user, because he could simply be sealed up, and the promised letter with instructions for resetting the password would not come to him.
3. You can ask the user to recognize the pictures or somehow protect themselves from bots, but this does not solve the whole problem of disclosing personal information, only the problem of mass disclosure of personal information. It can also annoy the user.
4. Secret questions. They do not always have a definite answer, even if the user 3 years ago thought otherwise.
Variations of users.
VtD
5. Request for password recovery via e-mail: “To recover a password, send an e-mail with the PassRestore topic to lostpassword@site.com from the email address you specified during registration”
Psih
6. Binding to a mobile phone. The safest option is to forget the password, send an SMS and get a password in reply. It is not possible to check whether (on a specific Internet resource) a person with such a mobile phone number, because such a user search is not provided.
What else can you do?
The best completed recommendations on password recovery design I will include here as a solution, obviously, with an indication of the user who brought this decision.
What other scams seem real to you based on this “password recovery” feature?
Source: https://habr.com/ru/post/55289/
All Articles