Translator's comment
We decided to continue translating security cheat sheets from OWASP against the backdrop of massive password recoveries after a database leak at the rzd-bonus.ru service .
Introduction
In order to implement a proper user management system, it usually has a password recovery service that allows users to reset their password if it is lost. Despite the fact that this functionality looks pretty straightforward and simple, it is a common source of vulnerabilities, one of which is username guessing . The following short instructions can be used as a quick reminder in case you lose your password:
return the same message to both existing and non-existent accounts;
make sure that the time it will take to respond to the user is the same;
use a third-party channel to reset your password;
use URL tokens for simple and fast implementation;
make sure the generated tokens or codes are:
;
;
;
.
.
()
, .
, , :
, ;
, , ;
, , CAPTCHA, ;
, , SQL-, .
( ) ( SMS), , .
, ;
, , ;
, ;
, ( !);
. , , .
, .
, , , , .
:
URL;
PIN-;
;
.
, , , . , , , .
(, , PIN- . .). , , . :
;
- JSON (JWT) , ;
, ;
;
, ;
.
URL
URL- URL- . :
URL.
.
Host URL- , HTTP-. URL- , .
, URL- HTTPS.
URL- .
, Referrer-Policy «noreferrer» (. : ), .
, URL-, .
, , .
. , , .
. URL , PIN, . .
PIN-
PIN- — ( 6 12 ), , SMS.
PIN-.
SMS .
PIN , .
PIN- .
PIN-, .
. , , .
, (, PIN-) . - , , . , .
(, ), . OTP, , .
, (, ). , — Google, GitHub Auth0.
:
- 8 , 12 - ;
, , ( );
, ;
, .
, . , .