March 23, 2009 at 18:15The line between usability and security
Password recovery is certainly a useful feature - there is no way to mention what password I used to register on a site that I visited once three years ago.
The password recovery function, as a rule, is designed in order to prevent an attacker from gaining access to your information and information about you.
Nevertheless, many services easily distribute some information about you precisely inside the "password recovery" function. I even suggest that this information can be very useful for all sorts of unfriendly people.
If you didn’t guess, the screenshot of one of the well-known social services that helpfully sent me a message that a letter was not sent to the specified address, because the user with the specified address was not registered.
What gives us information about whether a user is registered or not?
1. User information . We can thus create a tool to check on which resources the user is registered, which is useful to facilitate the collection of personal information about this person.
2. We can check the databases of emails who are registered for certain mass services , and then, based on the information received, ask for anything from these users by mail.
You say: "nonsense, you can not filter the database of emails." I will answer, not at all. It's one thing if you receive a letter with the text, send SMS to the number XXXX so that your account in / on ... are not blocked. And another thing is when in one letter there will be a list of 5 social networks in which you are registered. Five facts about you are more convincing!
How to design a password recovery?
1. To ask both mail and login is sadism! Many people use not only different passwords, but also different logins / nicknames.
2. Do not display messages about whether a message was sent or not - this is unfriendly to the user, because he could just be sealed up, and the promised letter with instructions for recovering the password will not come to him.
3. You can ask the user to recognize images or somehow protect themselves from bots, but this does not solve the whole problem of disclosing personal information, only the problem of mass disclosure of personal information. It can also annoy the user.
4. Secret questions. They do not always have a definite answer, even if the user thought differently 3 years ago.
Options Habrauserov.
VtD
5. Request for password recovery by e-mail: “To recover the password, send an e-mail with the PassRestore subject to lostpassword@site.com from the box specified during registration”
Psih
6. Binding to a mobile phone. The safest option is to forget your password, send an SMS and receive a password in response. Check whether there is (on a specific Internet resource) a person with such a mobile phone number is not possible, because such user searches are not provided.
What else can be done?
I will introduce the best completed recommendations for designing a password recovery here as a solution, obviously with an indication of the user who brought this solution.
What other scams seem real to you based on this feature of "password recovery"?
The password recovery function, as a rule, is designed in order to prevent an attacker from gaining access to your information and information about you.
Nevertheless, many services easily distribute some information about you precisely inside the "password recovery" function. I even suggest that this information can be very useful for all sorts of unfriendly people.
If you didn’t guess, the screenshot of one of the well-known social services that helpfully sent me a message that a letter was not sent to the specified address, because the user with the specified address was not registered.
What gives us information about whether a user is registered or not?
1. User information . We can thus create a tool to check on which resources the user is registered, which is useful to facilitate the collection of personal information about this person.
2. We can check the databases of emails who are registered for certain mass services , and then, based on the information received, ask for anything from these users by mail.
You say: "nonsense, you can not filter the database of emails." I will answer, not at all. It's one thing if you receive a letter with the text, send SMS to the number XXXX so that your account in / on ... are not blocked. And another thing is when in one letter there will be a list of 5 social networks in which you are registered. Five facts about you are more convincing!
How to design a password recovery?
1. To ask both mail and login is sadism! Many people use not only different passwords, but also different logins / nicknames.
2. Do not display messages about whether a message was sent or not - this is unfriendly to the user, because he could just be sealed up, and the promised letter with instructions for recovering the password will not come to him.
3. You can ask the user to recognize images or somehow protect themselves from bots, but this does not solve the whole problem of disclosing personal information, only the problem of mass disclosure of personal information. It can also annoy the user.
4. Secret questions. They do not always have a definite answer, even if the user thought differently 3 years ago.
Options Habrauserov.
VtD
5. Request for password recovery by e-mail: “To recover the password, send an e-mail with the PassRestore subject to lostpassword@site.com from the box specified during registration”
Psih
6. Binding to a mobile phone. The safest option is to forget your password, send an SMS and receive a password in response. Check whether there is (on a specific Internet resource) a person with such a mobile phone number is not possible, because such user searches are not provided.
What else can be done?
I will introduce the best completed recommendations for designing a password recovery here as a solution, obviously with an indication of the user who brought this solution.
What other scams seem real to you based on this feature of "password recovery"?