Password reminder emails
Mar. 13th, 2009 09:05 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
ewxFrom news.livejournal.com:
The recent break-ins resulted from hijackers finding and accessing lapsed Hotmail accounts that were used with LiveJournal accounts and publicly displayed on Profile pages in the past. You should be aware that Hotmail recycles email addresses that haven't been used in more than a year. If you validated a Hotmail address for your journal and displayed it publicly in the past, but then let the address lapse, someone who finds and re-registers that address can use it to obtain control of the journal.
This problem is unique neither to Livejournal (anything that has a password reminder and allows usernames to somehow be connected to email addresses will be vulnerable) nor to Hotmail (domain names can change owner). Connecting addresses to logins doesn't have to be 100% reliable for the exercise to be worthwhile to an attacker, and for a high-profile target they might well be prepared to spend a bit of time researching them.
Livejournal suggest that users make sure they only use addresses that they retain control over - in other words, user education, something with a poor track record.
Some possible measures that don't rely on the user's initiative:
- Refuse to send password reminders to any email address that you've ever published. If addresses and logins can be connected some other way then this is no help, but it should at least reduce the size of the problem a bit.
- Periodically verify that addresses recorded for password reminders are valid, for instance by sending them a confirmation link that must be clicked for the reminder address to remain usable. Unfortunately if the address has expired and already been re-used, this doesn't do any good - the attacker can follow the link. You could go further and require the password to be entered for the confirmation to complete - but training users to enter passwords in response to emails received out of the blue is a terrible idea!
- Expire reminder addresses; users would have to (log in and) re-enable them and then re-confirm them (thus resetting the expiry on the email address too, conveniently). This is the most effort for the users, but probably also the most reliable. In practice you'd send a warning email a bit before expiry so that there need never be an interval where you couldn't get a password reminder.
(no subject)
Date: 2009-03-13 09:34 am (UTC)And they might also think about doing something with time-limited address such as many educational ones (which stop working once you've graduated), in advance.
Though it might not solve the problem of the people who let their LiveJournal account lie dormant for a couple of years.
(no subject)
Date: 2009-03-13 10:24 am (UTC)That would be a hindrance for people trying to reclaim a stolen account, but such people should probably be talking to the abuse team rather than trying to reclaim their account automatically, anyway.
(no subject)
Date: 2009-03-13 10:33 am (UTC)That would punish people who can log in (e.g. through a "remember me" cookie) but realise at some point that they can't remember their password. (For example, when they want to change the email address on their account, which you need the password for these days.)
To a lesser extent, also those who can log in because their browser has saved their password, since those users may or may not know how to extract the saved password out of the bowels of their browser.
(no subject)
Date: 2009-03-13 10:43 am (UTC)(no subject)
Date: 2009-03-13 12:51 pm (UTC)I agree, but this doesn't make it not noteworthy (especially since this was on news.livejournal.com and the vast majority of recent break-ins are allegedly related to Hotmail).
Unfortunately, many users already get upset at basic security measures implemented by LiveJournal, such as the policy "if you cannot remember your password and no longer have access to the currently registered email address or any previously validated email address, and if you did not set a security question while you had access to the account, then you will not be able to regain access to your account. At all, ever." That policy is not going to change, no matter how many disgruntled users write in to complain, but can you imagine how much more upset a user would be if they could not regain access to their account merely because their email address had appeared in public for ten minutes when they set the account up?
So I don't really think this one is viable as you've stated it. You could mitigate it by applying the rule only to email addresses that haven't been current for at least six months; but actually LiveJournal might be better off deleting those old email addresses entirely instead of hanging on to them. The best way for everyone to be safe is to make sure people keep their email addresses up to date. This is currently attempted though user education, but as you say, it doesn't work that well.
[Point of order: they are password reset emails, not password reminder emails.]
This is a fair idea, but would irritate users if it happened too often, whereas it wouldn't be effective if done too infrequently. If someone abandons or loses their current email address, then even if the address hasn't been re-used it's a problem because the user won't read the message and thus won't update the email address on their profile, so when they forget their password they'll be SOL. It does at least mean the account is less likely to be broken into. What you probably want — at least for the confirmation that applies to their current address — is a lurid banner at the top of every page they visit saying (effectively) "Is your email address up to date? We sent you a confirmation link on yyyy-mm-dd but you haven't clicked it yet." This wouldn't work if the user has already abandoned their LiveJournal account but, eh, you can't help everyone.
I think that with the reminder email this effectively decays to the above. Without the email it would be a bit unfriendly because the user wouldn't necessarily know they had to do anything. On the other hand, very few people need to keep previous addresses around so it might be worth just letting those ones expire after, say, six months. (This doesn't help someone whose account is broken into while they are on a 12-month sabbatical, but actually they are no worse off than with the current system, since it allows the attacker to delete the original email addresses after six months.)
One problem with all this is that the more complicated you make it, the harder it will be to write coherent documentation and to explain the situation to a user who needs help (it already takes three lines to explain the conditions for being able to regain access to your account). In addition, any solution that depends on sending email will fall foul of people's spam traps blocking the message.
(no subject)
Date: 2009-03-13 12:52 pm (UTC)(no subject)
Date: 2009-03-13 01:50 pm (UTC)By 'not unique to livejournal' I mean I'm talking about the problem in the abstract, not (only) as it applies to Livejournal. The distinction between password resets (with a fresh password) and password reminders (with a password that you've in any case forgotten) is, as far as I can see, not important to the generic case.
There are bigger problems with "don't send passwords to publicized emails" than managing transition arrangements (which only apply to pre-existing systems). It's not going to be convenient for all users to have multiple email addresses that (importantly) they actually bother checking, and you (the website) cannot control publication of the address/login relationship outside your control. At a more conceptual level, the whole point of an email address is to be known to other people, so a system that requires keeping it secret is going to be a non-starter.
All these systems include being able to email the user as a precondition, by definition; we are after all talking about solving problems with reminder (or reset) emails!
(no subject)
Date: 2009-03-13 01:51 pm (UTC)