The security risks of using ‘forgot my password’ to manage passwords

Being involved in security means that lots of people are only too happy to share their – let’s say – idiosyncratic ideas on how to protect one thing or another. (“Here’s what I do…”) When it comes to passwords, just about everyone has his or her own idea about the best way of staying safe online. Most of the homegrown ideas aren’t good. (Really!) Typically, they may protect against one attack vector only to reveal a soft underbelly against other attacks. Or, an idea may be OK theoretically, but impossible to implement.

sp_password-management-email-sept-15

Recently, I came across yet another suggestion to use your email address as a password manager. I’d like to address the usefulness of the approach.

Here’s a quick summary of the proposed solution, which I’ll call ForgotMyPassword:

  1. instead of remembering or otherwise managing (e.g. with a password manager or on paper) a bunch of passwords, users would use the ‘forgot my password’ feature each time they accessed any password-protected site.
  2. since clicking ‘forgot my password’ typically sends an email to the user’s email account, users would then follow the process in the email to access the site.
  3. access to the user’s email account would be protected by a strong password and have multi-factor authentication (MFA or 2FA) activated.

By having the passwords for each site change each time the user access the site, ForgotMyPassword proposes to do away with weak passwords that can be hacked.

Let’s see how that holds up against a little scrutiny.

We’ll start by reminding ourselves that we will in a world of friction – interacting parts of any system rub against each other and we end up with less than ideal results. In high school physics problems, we get to neglect the effects of friction, so balls roll forever on surfaces, rise forever, etc. This is real life, so we’ll address several obvious areas where we can’t expect perfect results.

  • Implicit in ForgotMyPassword is that the user will no longer have a bunch of passwords that can be hacked. This is not correct! There will be the same number of passwords as the user has accounts – only the user won’t know what they are. These unknown passwords will be valid until the next time the user visits an account. That could be in 1 hour, 1 day, 1 week, 1 month, etc. based on how often the user visits each site. As such, the passwords are temporary in the sense that they will be changed the next time the user logs in, but they do exist!
  • ForgotMyPassword assumes that users’ email accounts can’t be hacked. Multi-factor authentication is a very useful security tool, but there are many instances of social engineering hacks that have been used to get past 2FA. Making a user’s email account the single point of security failure is bound to lead to increased hacks of email accounts along this vector.
  • Password renewal mechanisms on websites are intended for password renewal – not password management! Various controls like frequency of reset requests are used to facilitate the renewal process. Using a password renewal system for the unintended purpose of password management will render existing controls useless and can quickly result, for example, in users being locked out of accounts!
  • ForgotMyPassword suggests that users will never again have to create passwords – or maybe just the one strong one for their email account. But that’s not correct! There are lots of sites that prompt users to create passwords based on whatever rules the site deems to be appropriate. Because people will be depending on the security of the ForgotMyPassword system, it is likely going to lead to bad passwords by doing the bare minimum to meet the requirements of the site: 8 characters, at least 1 upper/lower case, 1 number, 1 special character! And because of human nature, users are going to resort to unsafe patterns.
  • ForgotMyPassword assumes that each site (online account) has a secure password authentication system. That’s not a given. It’s likely that users will come across all sorts of different password creation systems, and that in itself will be confusing. Some sites will have you click once to create a random password, other sites will send you an email with your new password in plain text (definitely not a good security practice), and on and on. Confusion will lead to shortcuts being taken which will lead to less security.
  • ForgotMyPassword would delay users from accessing their accounts. Instead of entering an existing login/password combination, logging in to any site would first require going through a process of renewal. The user would have to go to the login page, click ‘forgot my password’, go to the email account to check for the email, then follow the steps to create a new password (automatic in some cases, by manual in many others). It may seem silly, but one of the main reasons that people use poor passwords at all is because they want instant access! Asking them to change to a system that takes longer is not likely to get them to comply. (ForgotMyPassword acknowledges this delay, but indicates that it acceptable.)
  • ForgotMyPassword would very likely create havoc in a user’s inbox. Only the very conscientious would delete new password notifications each time a new one came in. This would leave most users with an inbox of passwords and access links that will be a gold mine for a successful hacker.

Conclusion

ForgotMyPassword will result in confusion for the users. And because confusion leads to noncompliance, people will use the system for some accounts, but return to bad practices for other accounts. It would very likely lead to a lot of shortcuts being taken by users as they try to speed things up and make things easy for themselves. (A major shortcut big one is going to be checking the ‘remain logged in’ box on sites that allow it – which is not a good security practice.)

Using ForgotMyPassword as password management would give users a false sense of security that they are protected by a cloud of constantly changing passwords. In reality, the cloud would obscure only the user’s perception, but nothing will have changed for hackers and bad guys, who will continue to use their tried and true methods to break in.

Sticky Password recommends using a password manager to manage all your unique passwords and passphrases. In addition to creating and remembering your passwords for you, Sticky Password will fill in online forms for you.