A hacker who goes by the alias “pdp” recently posted information about Attacking Password Recovery Facilities on his blog. He reviews several approaches to gaining unauthorized access to user accounts by circumventing security in the password recovery function of a system rather than trying to guess a user’s password.
Since attackers will often follow the path of least resistance in penetrating a host, it is incredibly important to make sure that password recovery functionality is designed to resist attacks.
I described one of the attacks, determining the answers to a user’s challenge questions, in the white paper I mentioned in a past blog entry. Hopefully his post will help to convince more people that attackers are going to be a real threat to their challenge question authentication systems, whether used for password recovery or secondary authentication.