There has always been something deeply unsettling to me about the ‘Forgot Password’ functionality on many web sites.
The ‘Forgot Password’ page exists solely to help unauthenticated users bypass the usual means of authentication.
For whatever reason, many developers overlook the importance of locking this down, even after the issue of too-easily-guessable questions in Yahoo’s ‘Forgot Password’ procedure got a lot of media attention during the US presidential campaign after Gov. Palin’s webmail was hacked.
Even if the questions were based on specific preferences and more difficult to guess, very few sites will check for brute-force attempts on the ‘Forgot Password’ page, even though protections against brute-forcing have often been implemented in the more prestigious login page.
One other recommendation I usually make is the banning of email addresses from Mailinator, Slopsbox, and similar anonymous email services in registration.
If you’re not familiar with Mailinator, it’s an email server which displays ALL received emails to anyone who visits their web site. Say you were registering for some web site and they asked for an address to send the validation email to. You can just enter any email address at Mailinator, for example firstname.lastname@example.org, and then go to www.mailinator.com and read the response. This is great for not having to give out your real email.
What this means, however, is that I can simply go to the ‘Forgot Password’ page, which usually requires only an email address, enter email@example.com, and a password reset email will be sent to Mailinator where I can collect it anonymously. Any user account on any web service which was registered to a Mailinator email address can be compromised simply by guessing the email address.
Here’s where the brute-forcing comes in. Since most sites let you make as many guesses on the ‘Forgot Password’ page as you’d like, there is nothing stopping an attacker from simply guessing email addresses at full tilt.
To demonstrate the effectiveness of this technique, I’ve written two example scripts, called the Mailinator-nator, which are available here.
The first script is called forgot-pwd-force.py, this script does the following:
1) Brute forces ‘Forgot Password’ forms that only require email addresses on a hardcoded list of sites, using a wordlist of usernames.
2) For each username, tries each of the Mailinator domain aliases (Mailinator has a number of different domain names that point to the same place).
The second script is called mailinator-scan.py, this script does the following:
1) Reads a wordlist of usernames from a file.
2) For each username, connects to Mailinator and logs all emails to that user which contain the word ‘password’.
To use these two together, first add your target sites to forgot-pwd-force.py. You can use one of my included wordlists or make your own, just be sure to use the same wordlist for both scripts.
Next, run the first script to force the target site to generate password reset emails to Mailinator addresses.
Wait a few minutes, and then run the second script to collect all of the return emails from the Mailinator server.
The second script can also be run as a cron job, which lets you troll Mailinator for password reset emails that you did not trigger yourself! Mailinator deletes all received emails within an hour or two, so you may have to tinker with it to find a good interval.
I love Mailinator, so I checked and this doesn’t seem to violate their terms of service. Looking at their site, they don’t seem to have terms of service! This makes some kind of sense, since all users to the site are anonymous. That said, actually logging in to a web site with a password recovered in this way is probably illegal in most jurisdictions so don’t do it.
As a site developer, what can you do to prevent these kinds of problems?
1) Ban registration emails to Mailinator and all of its domain aliases.
2) After 10 or so failed attempts to guess an answer on the ‘Forgot Password’ page, ban the IP for 5-15 minutes.
3) Require more than just the email address to send a password reset email. Consider at least two factors: email address AND one security question.
These three measures will protect your ‘Forgot Password’ page from brute-forcing and dictionary attacks, as well as protecting your users from having their accounts stolen.
As a user of Mailinator, you can reduce your exposure to this risk by making use of the ‘Delete This Email’ feature of Mailinator and by using a long, difficult to guess user name.