Please who can help me recover my safepal wallet from my device... I haven't backed up my mnemonic phrase and I forgot my password now I'm just staring at my money and can't access it .. I have just one more try left... is the anyway I could modify the app data on my phone and change the password or increase the amount of tries left
Related
I have a Login screen where a user has to enter its username and password. I always store the password in a variable and send it over to the server. Then I leave the functions context and everything is fine because I have no reference to the valuable information anymore.
But this time it needs to be really secure. When somebody asks me about security in my app and how the app would handle his password, I want to be able to say “Don’t worry. Your data is safe."
So if there would be an hacked app on the users phone which manages it to break out of its sandbox right after my user entered his password and it has been sent to the server I want to erase that part of the memory so the malicious app cannot inspect my threads and just pick the password from.
This question concerns Swift 3.x.
I have thought of deinitializing a wrapper class around the credentials, but would that be enough? How does iOS handle such deinitializations?
Any suggestions on this?
Thanks.
first of all, I don't really know if this is the right place to ask this, if this should be moved, please do so or let me know.
I'm building a mobile app (using phonegap) which is kind of a banking app, hence, I need a really secure method for resetting a lost/forgotten password.
I do not want to use email links or sms codes to proceed to the resetting part because:
Email address can be already compromised.
(Where I live) Phone can be stolen (most likely) and the email could be linked to phone, so SMS would be pointless as well.
So after a bit of reading I have come up with the next idea, inside the app when user clicks forgotten password:
Ask user email of registration.
Ask which country, state and city were selected when registration occured.
Ask if the user had login successfully in the last 3 or 7 days (maybe less is better?).
Ask the last amount of money received (if any).
Ask the last amount of money sended (if any).
Ask the date of the last transaction known (sended or received before or during the last successfull login).
If all that information proves to be correct, let the user set a new password. Else just show a message telling the user that something in the information was wrong, never ever specifing what was wrong.
Those are a few question but I'm writing this as it just occurs to me. There will be more question based on the user expirience using the app.
My Questions:
Is this secure?
Which are the weaknesses of this idea?
Does this effectively replace the email/link combination or phone/sms?
Thanks in advance.
Updates:
I dont like setting security questions during registration because most people forget the answer or type carelessly and then they are trapped with a forgotten account.
I will not be using any bank account or credit/debit card information.
All operations will be in effect inmmediatly.
Maybe I should use questions only related to the use of the app?
This method is relatively secure as password recovery goes. However, it is not very user friendly, and it is very likely that the user can get locked out. On the other hand, a thief may easily still recover a password. Taking all the questions one by one:
Ask user email of registration.
An thief who has stolen a phone has access to this (most likely).
Ask which country, state and city were selected when registration occurred.
This will also be easy to retrieve if the thief searches in the emails of the user. Even if no such info is displayed there, knowing the name of the user, the thief can look in whitepages websites or Facebook and get valuable info.
Ask if the user had login successfully in the last 3 or 7 days (maybe less is better?).
A lucky guess with 50% chance can get the thief past this. A legitimate user might also not remember, which causes the first usability problem of this method.
Ask the last amount of money received (if any).
This is very hard to remember, especially if this does not happen a lot, or happens all the time and the amounts vary. A thief who knows the bank account of the user (maybe info like the IBAN is in the emails) can also transfer a small amount to that account and get past this stage.
Ask the last amount of money sent (if any).
If this involves transactions as well (paying using a credit card), a thief can follow a legitimate user and observe the money spent in the last transaction. If not, it is still a big usability issue, as the user is not likely to remember. The thief can also check the emails of the user and see if there were any goods bought online (Amazon for example sends a confirmation email) and input this as the amount.
Ask the date of the last transaction known (sent or received before or during the last successful login).
Again, this is very hard to remember for the legitimate user. Especially when it comes to receiving money, it can take days, so even if the user knows that a payment to him/her was due at day X, there might have been a delay of a few days.
If I were you, I would put email, username, last password that the user remembers, and 2-5 recovery questions that the user has to set up in the beginning. I would let the user try a total of 3 times, and all these events are logged and the bank notified. Otherwise, the user has to contact the bank in order to change it. Calls are recorded, and personal info is requested, along with a phone banking password. If the user fails again, he/she has to go to the bank with some form of photographic ID.
Response to updates: If an app is not being used on a daily basis (banking-like apps are the case for many users), it might not be a good idea to ask questions regarding the use of the app.
Regarding security questions, maybe if you set a message that warns the user that they might get locked out of their account if they forget them, might convince them to be more careful. Maybe you can let users choose both questions and answers (just make sure the questions and answers are different each time, and they are longer than 1-2 characters).
Users forget passwords, and (nearly) all membership sites need a way to help users get back in.
I'd like to implement the common scenario:
User hits site, tries to log in, can't, and realizes they forgot password - crap!
User enters email address and clicks "forgot password"
User gets email with a password reset link
Here's how I'm planning to implement this (C#/ASP.NET MVC):
When the user enters email and hits "forgot password" button my site will generate a GUID, store it on the member's entity in the DB (member.ResetToken), and email them a link with that GUID in the url (the email sent will inform them they can use this link to one time only)
User clicks the link and my site looks up their account based on that member.ResetToken from the url. If their account is found show them a password reset form, and when they complete the reset it clears the member.ResetToken from their account.
Here's my question: keep it like this (in which they can reset their password with that link at any time, now or in the future) or add a timestamp to limit how long they have to reset their password?
From a UX perspective the ability to reset your password whenever you're ready is great, but I want to make sure I'm not overlooking some security issues this could raise.
Your scheme actually works, but there are some points that could be improved. But first to your original question about the time limit:
Let's ask the opposite question: Why should a token remain valid infinit?
There is no advantage, when the reset-link can be clicked two years later, either the user clicks the link in about an hour or he has probably forgotten about the link (and can request a new one if necessary). On the other hand, being able to read the e-mails doesn't necessarily mean, that an attacker must hack the e-mail account, there is for example the open e-mail client in the office, a lost mobile phone, a backup on the (lost) USB drive...
The most important improvement is, that you should only store a hash of the token in your database. Somebody with access to the database (SQL-injection), could otherwise demand a password reset for any e-mail address he likes, and because he can see the new token, he could use it to set his own password.
Then i would store those reset informations in a separate table. There you can store the userid, the hashed token, an expiry date and the information whether the link was already used. The user is not in a special state then.
Maybe i misunderstood this point, but the reset link should point to a special page for password resets. When the user goes to the login page, there should be no special handling, the login page should not be aware that there is a pending password-reset.
The reset token should be unpredictable, this can be achieved best with a really random code, reading from the random source of the operating system.
So, there are a few problems with this approach that I was trying to elude to in my comment. When you store the "confirmation token" in the users password, you have just basically destroyed their password.
I, a malicious person, can then take a big giant list of email addresses and a bot net and flood your server with password reset requests and lock out your users from their account. Sure, your users will get an email for the reset, but if I can reset passwords fast enough, there may be a backlog of emails (or, if you do it synchronously, i can likely DoS the entire application).
I, a normal user of your system, may attempt to reset my password, and can't figure out why I'm not getting the reset email because I don't even know about a spam folder (or it never arrived). Fortunately, I just remembered what the password was, but it doesn't work anymore since the password is now an opaque GUID, and I'm basically dead in the water until I can find the reset email.
Here's the process you should use.
Generate a password reset request which you look up using a GUID, and you could likely also secure this by hashing that value with some private data and passing that in the URL as well to avoid a rapid attack. You can also lock this request down by making it only valid for a certain amount of time.
Once someone follows that link with a valid token and any other parameters you specify, they can then change the password, at which point you can now safely change the users password.
Flag the password request as having been completed, or delete it. You could also track information like IP address or something similar if you are really concerned about who changed the password if you are really concerned about it.
Send the user an email confirming that they have changed their password.
Also, just in case this isn't happening already, make sure you are hashing and salting the users password. It doesn't sound like you were doing that when you were just replacing the password with a GUID, so just double checking.
Users also forget to reset passwords (things happen). Being paranoid about passwords, I'd suggest limiting the link lifetime to 24 hours. This should be more than enough. It doesn't solve the problem of malicious intercept but it is better than nothing.
I would make the following suggestions:
Require some piece of information before the user is allowed to click the forgot password button. For example, require an email address and date of birth.
Ideally your user interface should not provide any feedback that allows a hacker to determine if his reset request succeeded. You don't want them farming your page for email addresses or DOBs. However this is a usability tradeoff, so whether you do this depends on how much security you really need.
You might also considering requiring a captcha which makes brute force and application DoS attacks much more difficult.
Expire the one-time token as quickly as possible. A couple hours is enough in my opinion. You should never consider email to be private-- it isn't, unless you are using a secure email technology (e.g. PGP) on top of the base protocol (most people do not). The last thing you want is for a black market to open up where your GUIDs are bought and sold, which is exactly what could happen if they have infinite lifespan.
Do not use GUIDs. They are not cryptographically random and are guessable. I suggest you use a cryptographic random number generator and translate it into base64.
I'm working on a system that will require a user to log in on a device using an account that they created on a website. Authentication will be over HTTPS, so that is not an issue. The application running on the device will allow in-app purchase using a credit card linked to their account, so it's important that the login credentials are secure enough that it would be difficult to attack using brute-force. The only problem is that the device that the user will be using will have limited user input capabilities (essentially, arrow keys and a selection button).
In this case, a typical username/password may be too cumbersome to enter, also requiring the development of a on-screen keyboard that is navigable via the arrow keys. Users would likely end up creating simple passwords that are easily cracked. However, once logged in, the user will be using an access token behind the scenes so they may not need to enter their password very many times.
The first step is that the user will need to enter their username or ID number. Using a number may be easier to enter, but also easier to guess. I'm open to suggestions in this area as well.
Next is the process of entering a "password". So here are a few ideas that I have, but I'm not a cryptography expert so I don't know how to gauge the level of security.
User must first register the device. This might be a step that I require anyway, for extra security. The device would generate a key that is sent to the server and stored with the account. The key would be required when performing future authentication requests. The user would need to log into the website to approve the device. The device isn't going to have any sort of identifier, so unless you log in soon you wouldn't know if it was your device or someone else trying to spoof you. It would be nice to be able to create some sort of additional identifier, maybe a short code, phrase, or an image is displayed so you can know it's the same device that you just tried to register.
Since entering a text password may be too difficult, as long as the device is registered, maybe a 4 digit passcode can be used when confirming in-app purchases. This may be nice anyway to prevent other users of the device from using your account without your permission. However, if they are watching you enter your passcode, then it's not really good for that purpose anymore.
If registering the device is not necessary, instead of logging in with a text password, maybe the user is presented with images or phrases as options and they must choose the right combination of images/phrases that matches their account.
That's all I've got so far. What are your thoughts? How can I create an easy, but secure, login when in-app purchases are involved?
I have been dealing with limited user input capability scenario. Would you describe the platform your app running on?It helps to fit the solution according to the platform security model.
Update: I hope you are not considering multi-user per device scenario. So, I am assuming that there is one user per device. The second assumption is the device may have a unique serial number that can be accessible through some APIs and the serial number is registered on the server in advance.
At the initial stage, the user generates a random key through the device select button and the app confirms the success of key generation probably it display the serial number (the user may need to register the serial number for latter configuration). Behind the scenes, the app sends the new key with its serial number to the server. The server updates its serial number with the random key in the database entry. The device can block further key generation or may allow until it is finally configured with a dedicated user. The device also persist the serial number with the random key in the local database/file. The user is then login to their account through a web interface to configure the device. For logged in user, the server presents a list of available devices and the user can choose a specific one that belongs to her/him and set four digit pin code. The server performs the following:
Link the user account, the serial number, the random key (the one the device sent at the beginning).
generate a token
generate a key using pin code and the random key as a salt through Password based key derivative algorithm (PBKDF2)
encrypt the token using the key derived at step 3
Update database user row with the cipher token.
The user can sync the cipher token through the device select button. To unlock the app, user must enter the pin code through a simple numeric screen. The app uses the pin code and a random key (persisted at the beginning) and generates a PBKDF2 key and decrypt the token. PBKDF2 helps us to slow down the brute force a bit but it is possible to enforce time based or attempt based lockout as well. For instance after some trail, the app can drop the user credentials and force the user to configure from the scratch.
I am building a forgot password page. I've been reading around and many sources recommend to have users enter their email address, which will then add a token in the DB and send them a link with the token attached as GET variable.
I was curious why that token is really necessary?If the token is expired, anybody with bad intentions and access to your email, can go right back to the forgot password page and enter your email again to get a new password reset link.
I don't see the point of even having a token that expires at some point if somebody has access to your email address. Why should I use an expiring token on 'forgot password' pages?
Let's assume that a person with malicious intent wants access to your account on example.org, but doesn't have access to your email account. Also assume example.org's "forgot my password" algorithm's tokens don't expire.
This person will, if he's at least half-smart, do his research and setup a fake account on example.org and hit the "forgot my password" button and get a reset link himself to find out how these tokens are built (at least, the format they're in).
Then, said person types in your username and clicks the "forgot my password" button that emails you a reset-link that doesn't expire, but they don't care about that - they know the format that the reset-token is in; so, they can just brute force the reset-page with incrementing tokens until they find a valid hit.
This approach, of course, will technically find every reset-request that hasn't been fulfilled but will also find yours too.
If tokens expire, and within a reasonable time limit, the amount of time between the generation of said-token and it's expiration will occur far before the attacker can "guess" it. Of course, there's always the chance that you see the email prior to them guessing it too - but that's far less secure than adding an expiration time =P
You can ask the question the other way round: Why should a reset-link be valid for ever?
When i ask for a password reset link, i will use it normally in about one hour or two. There is no advantage, when i can click the link two years later, probably i won't remember that such a reset-link even exists. And it's easy to request a new link.
On the other hand, if someone in future gains access to my e-mail account, or maybe gets a backup of my e-mails somehow, then he can use the reset-link. Being able to read the e-mails doesn't necessarily mean, that one can login to the e-mail account. There is for example the open e-mail client in the office, a forgotten logout in an internet-cafe, a lost mobile phone...
The token itself should make sure, that an attacker cannot predict the code of a new reset-link. It is better to use a random code, instead of a code that was generated by parameters like username, current time, or e-mail address.
Generally one can say, why use a weaker scheme, if there is a stronger one, when the work for coding is not significantly harder?