This Message Is From an External Sender
This message originates outside of MITRE. If you feel this is suspicious, please report it via "Report Suspicious Email" button in Outlook.
Hi Everyone,
I was reading about CWE-640: Weak Password Recovery Mechanism for
Forgotten Password. The text states (in part):
It is common for an application to have a mechanism that provides a
means for a user to gain access to their account in the event they
forget their password...
This weakness may be that the security question is too easy to guess or
find an answer to (e.g. because the question is too common, or the
answers can be found using social media)...
Reading the text of the second paragraph, it appears to promote the
idea that some security questions are Ok. I find it troubling since
we've known security questions are insecure for about 20 years now.
Worse, these crappy systems are in use today; they are implemented in
account recovery and as app passwords.
I think it would be wise to completely condemn security questions. If
an application wishes to allow self-service password reset or
recovery, then suggest the application use first-class recovery codes.
The recovery codes will have the desired security properties, like
randomness, phishing resistance and replay resistance. And if the
application wishes to authorize a device or user agent, then the
system should provide application passwords for per-instance
discrimination.
Jeff
