This paper discusses and analyzes the internet-based, password reset functionality provided by many organizations for their customers. The average application user is being forced to remember more and more complex passwords to accomplish their daily routines. The very nature of complex passwords, sometimes results in passwords that are “meant” to be forgotten. Users are constantly reminded (or forced) to select passwords that can not be easily guessed or successfully attacked with brute-force tools. While some users still fail to use strong passwords, many users “over-compensate” by selecting a password that is to difficult to remember. To support these customers, many web sites provide a password reset functionality as a quick means for users, after having successfully answered a challenge question, to reset their currently assigned password. This feature is intended to reduce the demand for human helpdesk interaction, thereby reducing the cost of operating the application or service.
Unfortunately, these cost-saving password reset features have opened up new vectors for attack. Why would an attacker spend hours or days trying to find a software hole when he/she can simply reset all user passwords? Password reset services are quickly becoming the easiest way to gain access to customer data. These reset features, when not implemented correctly, are the simplest and quickest backdoor for the enumeration and unauthorized access of customer accounts.