Monday, 28 April 2014

Password change

I was emailed by a customer, he wanted me to change his password to a new one that he gave me, he said that he thought that the old one had been compromised.

Fair enough, I thought, and went to do it. Then I stopped.

It's extremely easy to spoof the origin of an email. Think of a letter; on the back of the envelope, you'll often find the "from" address. That's so that the post office can return it if they can't deliver it. You can see how easy it would be to put a false return address on an envelope. Well, that's how easy it is to put a false "from" address on an email.

That means that I don't know that the email really did come from my customer.

Does it matter? Yes, it does! If I change it to the one that he suggested, then the sender of the email can keep trying the new password, once per day or so, until it works. And if the sender of the request wasn't actually my customer, then we have grief.

So what I did, was I changed the password to something else completely, and emailed my customer, at the address that he gave when he signed up with me, to give him the new password.

If it really was him that made the request, then he might be mildly annoyed that I didn't give him the password he asked for. If he emails me to complain, I'll explain why I did it.

If it wasn't him that made the request, then either he'll just accept the change as one of those things that sometimes just happens, or else (much less likely) he'll email me to ask why I changed it, and then I'll explain.

So. Maybe this request was kosher. But it does occur to me that this would be quite a good way to get unauthorised access to someone else's account. So here's the test you can make.

You have a password on a number of different sites; some unimportant, but some very important (such as Amazon, who also have your credit card on record, or your bank). If you email these sites and ask them to set your password to a value that you give them, and if they do it, then there's a problem, and (other than avoiding using that site in future) I don't see how you can solve it.


  1. Server admins shouldn't be choosing - or setting - passwords for their users. Good security practice, on such a request, is to force a password change for the user. This triggers a password change request the next time the user logs in, which will require knowing the old password before the new one is accepted.
    If the password request email originated from someone trying to gain access to the account, they clearly don't *already* have that password - otherwise they wouldn't be asking to change it. If the request came from the legit user, then s/he gets their password change, but they get to change it themselves.

  2. That won't always work.

    If they've forgotten their password, you can't tell them to log in and change it themselves, you have to assign them a password, and email that to a known good email address.

    What I'm pointing out that admins MUST NOT do, is change the password to something chosen by the user.