[WEB SECURITY] Password Recovery

Dave King davefd at davewking.com
Wed Jun 15 17:31:00 EDT 2005

Hi All-
    I was wondering what everyone's opinion is on good password recovery 
options for a web application.  In OWASP's penetration testing document 
it says "Ensure that the user must respond to a secret answer or secret 
question or other predetermined information before passwords can be 
reset."  However Bruce Schneier and others disagree, check out this blog 
post http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html 
.  Basically he says these secret questions drastically lessen security 
because it's easier to guess the answer to the secret question than it 
is to guess the password.  Does anyone have any opinion on this or have 
found another solution that works well?

Dave King

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list