Is hacked email a developer's responsibility?

[tpr]

I'm developing a site (not PW) and I told to one of my non-tech relative how the Reset password feature works:

- ask the user's email

- send a link with code to the given email

- the user clicks on the link in his email and gets to a form where he can enter a new password

His first reaction was that it is insecure because if someone hacks the user's email account he can request a new password on my site and so he can login.

I'm not sure if a developer should take care of such cases. On the other hand, it is also my duty to prevent unauthorized access. I have checked some other sites and they used the same method as I.

I could prevent this with "What's your favorite colour?" type questions that the user answered when he registered, and only send out the email if the answer matches. This is also problematic, because he may forget the right answer.

What's your opinion?

[SiNNuT]

If the reset password functionality is part of the website you build, i do think it is your responsibility to explain to the client the pro's and cons of the different methods and let them choose.

The method you describe is weak but convenient, the method with personal security questions is (at least to me) annoying but much more secure if done right.

A pretty good write-up here:

https://fishnetsecurity.com/6labs/resource-library/white-paper/best-practices-secure-forgot-password-feature

Which also made it to the OWASP site:

https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet

[LostKobrakai]

Even security questions can be dangerous: http://www.ibtimes.com/elaborate-hack-steals-rare-twitter-handle-n-1552045 What annoys me personally the most about them is, that they often are questions, which you can hardly answer in a single word and matching the provided sentence, when I want a new passwort, is almost never successful.

[tpr]

Thanks, fishnetsecurity was a good read.

i do think it is your responsibility to explain to the client the pro's and cons of the different methods and let them choose. 

I'm the client It's a personal project. In fact this is only a minor one so no need to take extra security steps.

[teppo]

The method you describe is weak but convenient, the method with personal security questions is (at least to me) annoying but much more secure if done right.

Even security questions can be dangerous: http://www.ibtimes.com/elaborate-hack-steals-rare-twitter-handle-n-1552045 What annoys me personally the most about them is, that they often are questions, which you can hardly answer in a single word and matching the provided sentence, when I want a new passwort, is almost never successful.

Can't remember which service it was, but just recently I had to fill in a series of *required* security questions when signing up. There were a couple of them, ranging from "what's your mothers maiden name" to "what's the name of the city you were born in". In short, all of those were questions that anyone can dig up in an hour or so, quite likely without even relying on social engineering.

I sincerely hope that they don't use that crap to "validate" anyone. In either case, they didn't provide any details about how that data is used (as an addition to email validation, or on it's own), so just to be sure I filled in some incomprehensible random stuff. I definitely won't be able to answer those questions -- but neither will anyone else.

Password recovery based on email is, in my opinion, relatively safe on it's own. Safe enough for most services out there anyway. Of course it's always a question of "how much security does this service require"; combining it with security questions can enhance it's reliability, switching emails to text messages is considered even more secure (and harder to set up), and so on

[SiNNuT]

I think you got it teppo but just to be clear, i did mean security questions ass an addition to sending a reset token via e-mail or even SMS. I also agree that resetting via e-mail alone is safe enough for most stuff that gets built.

- edited the ass