Post: How to hack "Forgot Password"
Options
09-14-2012, 04:50 PM
#1
fluffyTHEnutsak
Splicer
I take NO credit what so ever!
SOURCE:You must login or register to view this content.
TUT
Hacking the 'Forgot your password' feature
Almost all websites that allow users to register have a 'Forgot your password feature', that is, when you forget your password, you can fill out a web form and have your password reset. The password reset does this either by sending you a temporary password, or sending you a link which will prompt you to enter a new password.
I have noticed in a few applications that I have used in recent years (mind you, these were small budget developed applications, nothing like Facebook or Twitter) where the forgot my password verifications were a little dodgy. Let me electorate.
Example One - Patterns in the temp passwords
If the web application employs the feature of sending temporary passwords to the users if they forget them, press the reset password a few times so you have a few different temp passwords. Line them up on notepad and look for similarities, incrementing numbers, patterns in the letters. E.g.
00Ab51
03Ad52
06Af53
09Ah54
While it may not be obvious at first, there is a pattern to these passwords. The first two characters are being incremented by 3, the next two characters (A is staying constant while the second character is taking every second letter of the alphabet) and the last two characters are incrementing by 1. With this information, you could reset the administrator's password, then using the pattern, enter the password 12Aj55 in conjunction with the administrator's username and be fairly sure you will get a successful log-in.
Example Two: Incrementing IDs
There was one website which required you to reset your password after 30 minutes of receiving the reset link in an email.
For this example, say the resent link was this:
https://www.f0cus.net/resetPassword.php?id=32
Being the person I am, I didn't know about the time limit so the next day I tried to reset my password and it failed, saying the 30 minutes was up and I had to try again; so I clicked the reset password button again, thus receiving another email. The new reset link was this:
https://www.f0cus.net/resetPassword.php?id=33
I noticed that the id had changed from 32 to 33. I reset my password again and again and the numbers continued to increment (all the way up to 39). I then created a new account, logged out and pressed forgot my password. Without checking the link in the email, I just pasted:
https://www.f0cus.net/resetPassword.php?id=40
into the url and booyah - I could reset the password for an account without checking the email.
In summary, check for patterns and easy slipups. Some patterns might not be as obvious as others. I would also advise doing this at a time when the application is going to be used by many users as if someone resets their password whilst you are checking for patterns, it will screw your pattern up.
-by f0cus (hack forums)
i found this interesting so i thought about sharing and seeing what you guys think
The following 4 users say thank you to fluffyTHEnutsak for this useful post:
09-14-2012, 09:24 PM
#5
-Luke
Former Staff
Originally posted by fluffyTHEnutsak
First off let me say that i found this on hack forums.
I take NO credit what so ever!
SOURCE:You must login or register to view this content.
TUT
Hacking the 'Forgot your password' feature
Almost all websites that allow users to register have a 'Forgot your password feature', that is, when you forget your password, you can fill out a web form and have your password reset. The password reset does this either by sending you a temporary password, or sending you a link which will prompt you to enter a new password.
I have noticed in a few applications that I have used in recent years (mind you, these were small budget developed applications, nothing like Facebook or Twitter) where the forgot my password verifications were a little dodgy. Let me electorate.
Example One - Patterns in the temp passwords
If the web application employs the feature of sending temporary passwords to the users if they forget them, press the reset password a few times so you have a few different temp passwords. Line them up on notepad and look for similarities, incrementing numbers, patterns in the letters. E.g.
While it may not be obvious at first, there is a pattern to these passwords. The first two characters are being incremented by 3, the next two characters (A is staying constant while the second character is taking every second letter of the alphabet) and the last two characters are incrementing by 1. With this information, you could reset the administrator's password, then using the pattern, enter the password 12Aj55 in conjunction with the administrator's username and be fairly sure you will get a successful log-in.
Example Two: Incrementing IDs
There was one website which required you to reset your password after 30 minutes of receiving the reset link in an email.
For this example, say the resent link was this:
Being the person I am, I didn't know about the time limit so the next day I tried to reset my password and it failed, saying the 30 minutes was up and I had to try again; so I clicked the reset password button again, thus receiving another email. The new reset link was this:
I noticed that the id had changed from 32 to 33. I reset my password again and again and the numbers continued to increment (all the way up to 39). I then created a new account, logged out and pressed forgot my password. Without checking the link in the email, I just pasted:
into the url and booyah - I could reset the password for an account without checking the email.
In summary, check for patterns and easy slipups. Some patterns might not be as obvious as others. I would also advise doing this at a time when the application is going to be used by many users as if someone resets their password whilst you are checking for patterns, it will screw your pattern up.
-by f0cus (hack forums)
i found this interesting so i thought about sharing and seeing what you guys think
I take NO credit what so ever!
SOURCE:You must login or register to view this content.
TUT
Hacking the 'Forgot your password' feature
Almost all websites that allow users to register have a 'Forgot your password feature', that is, when you forget your password, you can fill out a web form and have your password reset. The password reset does this either by sending you a temporary password, or sending you a link which will prompt you to enter a new password.
I have noticed in a few applications that I have used in recent years (mind you, these were small budget developed applications, nothing like Facebook or Twitter) where the forgot my password verifications were a little dodgy. Let me electorate.
Example One - Patterns in the temp passwords
If the web application employs the feature of sending temporary passwords to the users if they forget them, press the reset password a few times so you have a few different temp passwords. Line them up on notepad and look for similarities, incrementing numbers, patterns in the letters. E.g.
00Ab51
03Ad52
06Af53
09Ah54
While it may not be obvious at first, there is a pattern to these passwords. The first two characters are being incremented by 3, the next two characters (A is staying constant while the second character is taking every second letter of the alphabet) and the last two characters are incrementing by 1. With this information, you could reset the administrator's password, then using the pattern, enter the password 12Aj55 in conjunction with the administrator's username and be fairly sure you will get a successful log-in.
Example Two: Incrementing IDs
There was one website which required you to reset your password after 30 minutes of receiving the reset link in an email.
For this example, say the resent link was this:
https://www.f0cus.net/resetPassword.php?id=32
Being the person I am, I didn't know about the time limit so the next day I tried to reset my password and it failed, saying the 30 minutes was up and I had to try again; so I clicked the reset password button again, thus receiving another email. The new reset link was this:
https://www.f0cus.net/resetPassword.php?id=33
I noticed that the id had changed from 32 to 33. I reset my password again and again and the numbers continued to increment (all the way up to 39). I then created a new account, logged out and pressed forgot my password. Without checking the link in the email, I just pasted:
https://www.f0cus.net/resetPassword.php?id=40
into the url and booyah - I could reset the password for an account without checking the email.
In summary, check for patterns and easy slipups. Some patterns might not be as obvious as others. I would also advise doing this at a time when the application is going to be used by many users as if someone resets their password whilst you are checking for patterns, it will screw your pattern up.
-by f0cus (hack forums)
i found this interesting so i thought about sharing and seeing what you guys think
I am so going to have to test this out! Thanks a lot man!
09-14-2012, 11:06 PM
#7
fluffyTHEnutsak
Splicer
09-14-2012, 11:08 PM
#8
fluffyTHEnutsak
Splicer
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
