So, while it appears that one of the password reset security holes at Healthcare.gov has been patched, there's still a problem with the design.
Do you see it? Is there a problem here?
The problem is that the system sends both the username and the reset code over email -- which is generally an insecure means of communication. For security purposes, these types of systems often send a password reset code without the username, and then require the user provide the username that goes with the reset code. Sending both makes the system less secure.
Plus, there's one more problem that this image doesn't show: the password reset code stays the same. Each time I request a password reset for an account, I get the same code. This code should change. That it doesn't change suggests that, maybe, once a code is compromised, it can be repeatedly used again.
The password reset code appears to be a randomly generated Java UUID. While it is a problem that it does not change, a randomly generated ID should be more secure than one generated from the username or email address.
ReplyDeleteGiven that it is random, it should be even easier to change with each password reset and/or login.
for those technically inclined:
I confirmed that the UUID is random using a simple bit of Java code on the password reset UUID I see returned by Healthcare.gov as I use the system:
UUID uid = UUID.fromString(emailConfirmationId);
System.out.println("UUID value is: "+uid);
System.out.println("Version:" + uid.version());
System.out.println("Variant:" + uid.variant());
The version() and variant() methods provide codes that reveal information about how the UUID was constructed.
I find that people instantly 'get it' when you say that e-mail is the equivalent of a postcard. A letter would be encrypted e-mail. Encryption is just the computer way of saying envelope. Nobody thinks it is a good idea to pass secure information via postcard.
ReplyDelete