Web password recovery --- a necessary evil?
This addresses security risks for users and websites relying on password recovery, though it appears incremental as it builds on existing analysis rather than introducing new methods.
The paper tackles the problem of security vulnerabilities in web password recovery systems by providing an analytical framework and model to systematically evaluate existing techniques, resulting in specific implementation recommendations to maximize security.
Web password recovery, enabling a user who forgets their password to re-establish a shared secret with a website, is very widely implemented. However, use of such a fall-back system brings with it additional vulnerabilities to user authentication. This paper provides a framework within which such systems can be analysed systematically, and uses this to help gain a better understanding of how such systems are best implemented. To this end, a model for web password recovery is given, and existing techniques are documented and analysed within the context of this model. This leads naturally to a set of recommendations governing how such systems should be implemented to maximise security. A range of issues for further research are also highlighted.