Weak Password Recovery Question Selection
Variants:
Direct
Vector Type:
Vulnerability
Relevance:
Generic
Layer:
Application-Level
Platforms:
Any
Target Type:
Application
Affected Mechanisms:
Registration, Password Recovery
Invented In:
01/01/1999
Added In:
23/12/2014
Vector Operation Method:
The application enables the user to select weak recovery questions that have a limited set of answers which is easily guessable. A typical example is the - what is your favorite color - question, which only has a limited set of answers and will therefore cause the user to select a trivial answer. Due to the limited choice of answers, attackers could abuse this issue to guess the answers with only a handful of attempts, without prompting any process lock or anomaly detection mechanisms.
