Skip to main content

Web Password Recovery: A Necessary Evil?

  • Conference paper
  • First Online:
Proceedings of the Future Technologies Conference (FTC) 2018 (FTC 2018)

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 881))

Included in the following conference series:

Abstract

Web password recovery, enabling a user who forgets their password to re-establish a shared secret with a website, is very widely implemented. However, use of such a fall-back system brings with it additional vulnerabilities to user authentication. This paper provides a framework within which such systems can be analysed systematically, and uses this to help gain a better understanding of how such systems are best implemented. To this end, a model for web password recovery is given, and existing techniques are documented and analysed within the context of this model. This leads naturally to a set of recommendations governing how such systems should be implemented to maximise security. A range of issues for further research are also highlighted.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We avoid this terminology since it implies changing the existing password, and not all password recovery schemes involve such a change.

  2. 2.

    https://goo.gl/sG4wDv, accessed: 09/04/2018.

  3. 3.

    https://goo.gl/wCsLMk, accessed: 09/04/2018.

  4. 4.

    https://goo.gl/b67119, accessed: 09/04/2018.

  5. 5.

    https://goo.gl/9hbHNX, accessed: 09/04/2018.

  6. 6.

    https://goo.gl/yrv1fA, accessed: 09/04/2018.

  7. 7.

    https://goo.gl/uUYysF, accessed: 09/04/2018.

  8. 8.

    This analysis suggests a very simple attack on passwords, where a malicious entity sets up a site and persuades users to register and choose an ID and password; the site can then act on the assumption that some users will employ the same user name/password combinations elsewhere, and can try them out with other sites to see if they work. Such an attack could be very effective without even requiring any real-time MitM activity or compromise of existing password databases.

  9. 9.

    Google and Dropbox both use 6–digit verification codes.

References

  1. Bonneau, J., Bursztein, E., Caron, I., Jackson, R., Williamson, M.: Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at Google. In: Gangemi, A., Leonardi, S., Panconesi, A. (eds.) Proceedings of the 24th International Conference on World Wide Web, WWW 2015, Florence, Italy, 18–22 May 2015, pp. 141–150. ACM (2015)

    Google Scholar 

  2. Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: 9th Annual Workshop on the Economics of Information Security, WEIS 2010, Harvard University, Cambridge, MA, USA, 7–8 June 2010 (2010). http://www.jbonneau.com/doc/BP10-WEIS-password_thicket.pdf

  3. Chmielewski, L., Hoepman, J.-H., van Rossum, P.: Client-server password recovery. In: Meersman, R., Dillon, T.S., Herrero, P. (eds.) On the Move to Meaningful Internet Systems: OTM 2009, Confederated International Conferences, CoopIS, DOA, IS, and ODBASE 2009. Lecture Notes in Computer Science, vol. 5871, Vilamoura, Portugal, 1–6 November 2009, Proceedings, Part II, pp. 861–878. Springer (2009)

    Google Scholar 

  4. Ellison, C., Hall, C., Milbert, R.: Protecting secret keys with personal entropy. Future Gener. Comput. Syst. 16(4), 311–318 (2000)

    Article  Google Scholar 

  5. Frykholm, N., Juels, A.: Error-tolerant password recovery. In: Reiter, M.K., Samarati, P. (eds.) CCS 2001, Proceedings of the 8th ACM Conference on Computer and Communications Security, Philadelphia, Pennsylvania, USA, 6–8 November, 2001, pp. 1–9. ACM (2001)

    Google Scholar 

  6. Gelernter, N., Kalma, S., Magnezi, B., Porcilan, H.: The password reset MitM attack. In: 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, 22–26 May 2017, pp. 251–267. IEEE Computer Society (2017)

    Google Scholar 

  7. Gong, N.Z., Wang, D.: On the security of trustee-based social authentications. IEEE Trans. Inf. Forensics Secur. 9(8), 1251–1263 (2014)

    Article  Google Scholar 

  8. Guri, M., Shemer, E., Shirtz, D., Elovici, Y.: Personal information leakage during password recovery of internet services. In: Brynielsson, J., Johansson, F. (eds.) 2016 European Intelligence and Security Informatics Conference, EISIC 2016, Uppsala, Sweden, 17–19 August 2016, pp. 136–139. IEEE Computer Society (2016)

    Google Scholar 

  9. Jin, L., Takabi, H., Joshi, J.B.D.: Security and privacy risks of using e-mail address as an identity. In: Elmagarmid, A.K., Agrawal, D. (eds.) Proceedings of the 2010 IEEE Second International Conference on Social Computing, SocialCom/IEEE International Conference on Privacy, Security, Risk and Trust, PASSAT 2010, Minneapolis, Minnesota, USA, 20–22 August 2010, pp. 906–913. IEEE Computer Society (2010)

    Google Scholar 

  10. Just, M., Aspinall, D.: Personal choice and challenge questions: a security and usability assessment. In: Cranor, L.F. (ed.) Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS 2009, Mountain View, California, USA, 15–17 July 2009. ACM International Conference Proceeding Series. ACM (2009)

    Google Scholar 

  11. Karlof, C., Tygar, J.D., Wagner, D.A.: Conditioned-safe ceremonies and a user study of an application to web authentication. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2009, San Diego, California, USA, 8th February–11th February 2009. The Internet Society (2009)

    Google Scholar 

  12. Kharudin, W.M., Din, N.F.Md., Jali, M.Z.: Password recovery using graphical method. In: Abraham, A., Muda, A.K., Choso, Y.-H. (eds.) Pattern Analysis, Intelligent Security and the Internet of Things, pp. 11–20. Springer (2015 )

    Google Scholar 

  13. Lilly, A.: IMSI catchers: hacking mobile communications. Network Secur. 2017(2), 5–7 (2017)

    Article  Google Scholar 

  14. Mannan, M., Barrera, D., Brown, C.D., Lie, D., van Oorschot, P.C.: Mercury: recovering forgotten passwords using personal devices. In: Danezis, G. (ed.) Financial Cryptography and Data Security — 15th International Conference, FC 2011, Gros Islet, St. Lucia, February 28 – March 4, 2011, Revised Selected Papers. Lecture Notes in Computer Science, vol. 7035, pp. 315–330. Springer (2011)

    Google Scholar 

  15. Polakis, I., Kontaxis, G., Antonatos, S., Gessiou, E., Petsas, T., Markatos, E.P.: Using social networks to harvest email addresses. In: Al-Shaer, E., Frikken, K.B. (eds.) Proceedings of the 2010 ACM Workshop on Privacy in the Electronic Society, WPES 2010, Chicago, Illinois, USA, 4 October 2010, pp. 11–20 (2010)

    Google Scholar 

  16. Rabkin, A.: Personal knowledge questions for fallback authentication: security questions in the era of facebook. In: Cranor, L.F. (ed.) Proceedings of the 4th Symposium on Usable Privacy and Security, SOUPS 2008, Pittsburgh, Pennsylvania, USA, 23–25 July 2008. ACM International Conference Proceeding Series, pp. 13–23. ACM (2008)

    Google Scholar 

  17. Schechter, S.E., Bernheim Brush, A.J., Egelman, S.: It’s no secret: measuring the security and reliability of authentication via “secret” questions. In: Cranor, L.F. (ed.) Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS 2009, Mountain View, California, USA, 15–17 July 2009, ACM International Conference Proceeding Series. ACM (2009)

    Google Scholar 

  18. Stavova, V., Matyas, V., Just, M.: Codes v. people: a comparative usability study of two password recovery mechanisms. In: Foresti, S., Lopez, J. (eds.) Information Security Theory and Practice — 10th IFIP WG 11.2 International Conference, WISTP 2016, Heraklion, Crete, Greece, 26–27 September 2016, Proceedings. Lecture Notes in Computer Science, vol. 9895, pp. 35–50. Springer (2016)

    Google Scholar 

  19. Titcomb, J.: Hacker reveals how he could take over any facebook account and change its password. The Telegraph, March 2016

    Google Scholar 

  20. von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: using hard AI problems for security. In: Biham, E. (ed.) Advances in Cryptology — EUROCRYPT 2003, International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, 4–8 May 2003, Proceedings. Lecture Notes in Computer Science, vol. 2656, pp. 294–311. Springer (2003)

    Google Scholar 

  21. Welch, Bill: Exploiting the weaknesses of SS7. Network Secur. 2017(1), 17–19 (2017)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Fatma Al Maqbali .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Maqbali, F.A., Mitchell, C.J. (2019). Web Password Recovery: A Necessary Evil?. In: Arai, K., Bhatia, R., Kapoor, S. (eds) Proceedings of the Future Technologies Conference (FTC) 2018. FTC 2018. Advances in Intelligent Systems and Computing, vol 881. Springer, Cham. https://doi.org/10.1007/978-3-030-02683-7_23

Download citation

Publish with us

Policies and ethics