Account Recovery Fail

by adam on March 19, 2014

“Please note that your password will be stored in clear text in our database which will allow us to send it back to you in case you lost it. Try avoid using the same password as accounts you may have in other systems.” — a security conference’s speaker website

This is a silly pattern. At least these folks realize it’s a bad idea, and warn the person, but that’s the wrong approach, since it relies on people reading text, and then relies on them being willing to make up and recall yet another password.

The origin of this problem is a broken model of what people want from their online accounts. As I discuss in chapter 14 of Threat Modeling: Designing for Security, the right goal is almost always account recovery, not password recovery. It’s irksome to see a security conference get this so wrong.

To be fair, the person who selected the conference management system was likely not a security expert, and had other functional goals on which they were focused. It would be easier to be annoyed if someone had a comprehensive and precise list of security problems which they could look for. But while we’re being fair, this isn’t like a XSS or SQLi issue which require some skill to discover. It’s right there in the primary workflow.

Leave your comment

Not published.

If you have one.