English

Web password recovery --- a necessary evil?

Cryptography and Security 2018-01-31 v2

Abstract

Web password recovery, enabling a user who forgets their password to re-establish a shared secret with a website, is very widely implemented. However, use of such a fall-back system brings with it additional vulnerabilities to user authentication. This paper provides a framework within which such systems can be analysed systematically, and uses this to help gain a better understanding of how such systems are best implemented. To this end, a model for web password recovery is given, and existing techniques are documented and analysed within the context of this model. This leads naturally to a set of recommendations governing how such systems should be implemented to maximise security. A range of issues for further research are also highlighted.

Keywords

Cite

@article{arxiv.1801.06730,
  title  = {Web password recovery --- a necessary evil?},
  author = {Fatma Al Maqbali and Chris J Mitchell},
  journal= {arXiv preprint arXiv:1801.06730},
  year   = {2018}
}

Comments

v2. Revised version

R2 v1 2026-06-22T23:50:53.798Z