Search code examples
securitypassword-policy

Returning a password to the web user

I have received the unfortunate requirement of building a page that displays a new password to the authenticated user. I have unsuccessfully protested this requirement as a generally bad idea, but I think the jury is still out so perhaps there are arguments against displaying a new password that I haven't tried yet. Do you have any suggestions?

Second, would it be better to display the password to the user as an image, rather than as text. I'm concerned about the text being "scraped" which I'm assuming would be more difficult with an image. How do I make sure that the image will not be cached by the users browser?

thanks in advance,

Solution

  • I'm not sure what you are build and what is the requirements, but as a general rule of thumb I do not consider this a grievous security concern. Lets look at the attack vectors:

    1. Man in the middle attack on the HTTP text traffic - an image, especially one obfuscated against OCR (CAPTCHA style) will prevent this attack, but also simply using HTTPS as porneL mentioned.
    2. Screen scraping by a remote desktop application - HTTPS protection will not help, nor an image as the mess on a screen has to be read by a human anyway (a human attacker can also circumvent your obfuscated image protection against "man in the middle" by instructing the listener to archive the image and then go over them manually). If a human is behind the screen scraper, then you have no protection.
    3. over your shoulder eavesdropping - if the attacker is simply standing behind the user, then again - you have no protection.

    Do note that if your password is autogenerated, then you must show it to the user, there is no way around that. One way sites try to mitigate the threat is to send the password by email - under the assumption that a user can make sure they read the email when no one is looking, at their own time. Unfortunately email will not even let you have the benefit of encryption to protect the transfer.

    In my opinion, the best way is to let the user input the password (in a password obfuscation field, like normally it is done) and then only store the hash of the password so you need not store the actual password, preventing you from showing it to the user. If you must show it to the user (possibly because you are generating it), then make sure you are over HTTPS and just show it - all the fanfare just complicates the implementation without giving any security benefits.