Reset links in password expiration emails

Question

Our organization is rolling out yearly password expiration to our 40,000+ users this fall and we have been socializing this change for some time now. However being such a large organization, our users are also consistently bombarded with phishing emails. Our rule of thumb we tell our users is "Don't click on links in emails you didn't expect".

However now that we are rolling out password expiration, we are planning to send emails to users who's passwords will expire soon urging them to change their password.

The emails:

• Are well branded and look professional
• Personally identify the user with their username and an internal (although not completely private) ID number
• Clearly explain what is going on, and what action to take
• Contain proper headers identifying the sending email server is from our organization for advanced users (e.g. we aren't sending these from off-site)

However to make life significantly easier on users, we have a couple links in the emails:

• A link to our documentation for password expiration on our website
• A link to the actual password reset application
• A link to the password recovery application (for lost passwords)

There is also a mini-guide on how to identify trustworthy sites by checking the URL and SSL certificate, and when in doubt to type out the address to our homepage itself, then follow the links.

My question is:

Is there any amount of legitimacy we can add to the password expiration email so users can trust this email (which they probably weren't expecting) and click on the links, or should we ditch the links all together and just tell users to do the process themselves instead of clicking on a convenient button in the email?

Answer 1

The short answer is no. Sure you can make your email very legitimate looking, that isn't the problem. The problem is you are conditioning your users to click on links in emails and email is a 100% insecure medium. Links in emails are an anti-pattern.

"Official looking" isn't secure. Almost everything in your email can be replicated by a dedicated attacker. If you are mycompany.com an attacker using myc0mpany.com would almost certainly phish some significant percentage of your users. The attacker can use SSL and SPF as well. Which means some very subtle things which are not strong identifiers.

It is clear you have put some thought into this. Things like identifying the user by username adds legitimacy but would most of them notice if another email from "you" didn't? As an experiment, if you sent a similar email to a test group without those extra legitimacy boosters or from a spoofed domain (myc0mpany.com) my guess is you would see a click through rate that is almost as high.

Now if your bosses pressure you into using links well I certainly understand. We as an industry have done an incredibly good job of conditioning everyone from end users to policy makers to expect this anti-pattern. However if you can, take a step back. Why do you need a link in the email?

Why can't you just handle password reset on the next login? Send an email to users advising them they will need to reset their password on the next login. You could include a screenshot of a browser (with url) and the login page if you think users are incapable of finding their way to the login screen without a direct (insecure) link.

Also I would not roll out a password reset to all 40,000 users at once. Handle it in batches and take time between batches to get feedback.

Even for lost passwords there is no need to include links in emails.

1. On website user tries to login and can't.
2. User clicks forgot password and completes any alternate identification requirements.
3. Server side generate reset code, update user record in db to store account status (reset), store reset code and expiration.
4. Send email to user containing reset code (no links).
5. Page loads to indicate to user an email has been sent containing reset code.
6. User copies reset code from email and pastes it into the secure site

The most important thing you can do to prevent phishing attacks is regularly and continually remind the users to never click links in emails. This should be done both in all your email communication and at the website login. You should also have a dedicated email address such as fraud@mycompany.com and advertise it in all email communication. This won't prevent phishing emails but it may alert you to an attack earlier.

Answer 2

1) You can digitally sign the email, so it will look more trustworthy (if the mail app supports it and do not show it just as attachment).

2) It is not the best idea to include links in the email. It is better to give them instructions how to do the change and where. Also, the password change tool should be on your company URL that they know and trust it.

3) This email should come from adress of your company which is established for your company and the customers trust it. (by this I mean if you are using info@yourcompany.com, then do not create passwords@yourcompany.com etc.)

4) Add a scan footer of some antivirus software. For example, this adds Avast:

5) This email should contain logo of your company and typical company signature.

6) If you have something what you can use to tell users that they should expect this mail and from what adress, do it. Include also this one link to this every your password message, so the users can validate it.

7) IMPORTANT: setup an SPF record, so if attacker sends false emails that have @yourcompany.com in sender adress, it will be marked or suppressed. If not, attacker can use some of "fake mailers". Here is one for example: Emkei´s fake mailer