Why I dropped password resets on trashserver.net
Usually there’s no reason to get worried if you forget the password for an online service that you’re using. Platform providers are aware of their forgetful users and provide a simple method to reset your password and regain access to your account. All you need to do is to enter your email address and wait for a customized link. That link lets you change your password or request a new one.
What’s the problem with that?
With this popular approach your email mailbox becomes a master key. If every account is linked to one of your few email accounts, an attacker’s attention will be moved to that single point of failure.
Hack one account and get them all!
You might argue that your email account is safe. But is it really? There have been proven to be tons of hacked email accounts out there. Maybe you have chosen a long, good passphrase. But is there a “password reset” button at the login of your webmail interface? Probably there is. Usually the “reset password” feature is based on “secret questions”, like: “What’s your mother’s maiden name?”, “What was the name of your first pet?” and so on. These questions are anything but “secret”.
By utilizing a social engineering approach, it is quite easy for trained people to find out the relevant information. Be it by research on the internet or by private conversation.
When using a password reset feature you’re basically using a backdoor. The backdoor access has been available all the time. It doubles your attack surface and enables new ways to “steal” your identity. If attackers are not able to make it through the front door, they will try the backdoor. In some cases that’s even easier than finding out your password.
How it went until now
Most XMPP servers don’t come with a password reset feature by default. As I’m trying to avoid collecting unnecessary information about trashserver.net users, I was not collecting additional contact information such as an email address. So email didn’t work.
Since I wanted to offer my users a password reset feature, I thought of another method: As a user you needed to give me sufficient evidence that you actually owned the account that you wanted to be reset. I wanted some knowledge about the affected account as proof. Some XMPP user IDs of your contacts were sufficient in the beginning.
Later I changed my mind about that and considered that method too insecure. I wanted my users to tell me the exact name of a fancy contact that they had created before. But … why would you remember the XMPP ID or name of a fancy contact if you couldn’t even remember your primary password? If you’re not capable of keeping a secret safe, it doesn’t matter where to use which secret. In the end some users had two passphrases and didn’t remember either of them.
What now?
I stopped doing password resets. If you lose your password, you lose your account. That’s how things are now.
I understand that some people might not be happy with it. I understand that it will bring frustration for some users and it also might not be very user friendly. But there is (currently) no other way, if you take security serious and want to keep the service as safe as possible.
Maybe I’ll come up with a nice solution in the future, or somebody on the internet has a plan how to safely implement a feature that allows users to take back control over their account. Until then, I’ll stick to my decision, even if that means that some users will stop using trashserver.net. My server, my responsibility, my decision. You chose your server on your criteria. Be it security, user experience or features. Decide what’s best for you. If you come to the conclusion that trashserver.net is not good for you - I’m totally okay with that.
To warn new users about my unconventional password approach, I’ve added a red warning box right before the registration form.
The best approach for managing all your passwords
Use a password manager now.
- Enter / generate your new password in your password manager.
- Enter it twice. Your password manager should check both versions.
- Save your password database. Make a backup immediately if you don’t trust your data storage.
- Now: Copy the password from your password manager and paste it into the registration form.
- Create your account.
The order is important. I’ve been told stories of people who filled in new passwords into the registration form and then forgot to put it into their password manager. In some cases the password manager crashed. In some cases their data storage was not reliable and mixed up database versions (Cloud sync, …). Make sure your password is actually saved. Then use it for registration. The same applies for password changes:
- Make a backup of your old password, first.
- Then create a new one.
- Change your password to the new one and then check if it was correctly applied in the system (by logging out and in, again)
- Delete your password or keep a copy as a backup. Just to be sure.
As a password manager I recommend KeePass / KeePassX / KeePassXC.