logo

Weak Password Recovery Mechanism for Forgotten Password

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when an application's password reset or recovery feature is poorly designed or implemented, allowing attackers to bypass authentication and hijack user accounts.

Extended Description

Password recovery is a necessary feature, but it often becomes the weakest link in your authentication system. Common flaws include using easily guessed security questions (answers found on social media), sending the original password instead of a secure temporary one, or failing to limit reset attempts, which enables denial-of-service attacks. Attackers exploit these oversights to impersonate legitimate users, completely undermining even strong initial password policies. To prevent this, treat the recovery mechanism with the same security rigor as the primary login. Always generate a time-limited, single-use token sent to a pre-verified contact method. Implement robust rate-limiting and audit logs for all recovery attempts. The goal is to verify the user's identity securely without creating a new, exploitable path into the account.
Common Consequences 3
Scope: Access Control

Impact: Gain Privileges or Assume Identity

An attacker could gain unauthorized access to the system by retrieving legitimate user's authentication credentials.

Scope: Availability

Impact: DoS: Resource Consumption (Other)

An attacker could deny service to legitimate system users by launching a brute force attack on the password recovery mechanism using user ids of legitimate users.

Scope: IntegrityOther

Impact: Other

The system's security functionality is turned against the system by the attacker.
Potential Mitigations 6
Phase: Architecture and Design
Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Phase: Architecture and Design
Do not use standard weak security questions and use several security questions.
Phase: Architecture and Design
Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Phase: Architecture and Design
Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Phase: Architecture and Design
Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Phase: Architecture and Design
Assign a new temporary password rather than revealing the original password.
Demonstrative Examples 1
A famous example of this type of weakness being exploited is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction.
References 1
24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, and John Viega
McGraw-Hill
2010
ID: REF-44
Likelihood of Exploit

High

Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Attack Patterns
Related Weaknesses
ChildOf: Weak Authentication (CWE-1390)
ChildOf: Improper Authentication (CWE-287)
Taxonomy Mapping
  • WASC
Notes
MaintenanceThis entry might be reclassified as a category or "loose composite," since it lists multiple specific errors that can make the mechanism weak. However, under view 1000, it could be a weakness under protection mechanism failure, although it is different from most PMF issues since it is related to a feature that is designed to bypass a protection mechanism (specifically, the lack of knowledge of a password).
MaintenanceThis entry probably needs to be split; see extended description.