[WEB SECURITY] Password Recovery

Jeremiah Grossman jeremiah at whitehatsec.com
Wed Jun 15 18:25:19 EDT 2005

I agree that using secret questions alone isnt't the best idea, however 
they still can be of use. The challenge is selecting the right password 
recovery model, or combination of models, for the system we're 
securing. Low security vs. high security - easy vs. inconvenient.

Currently, I'm a fan of the password reset request using email 
verification (All the usual precautions taken of course). This does 
require a registered email address, but for the user it's simple, easy, 
and a fairly secure process.

For the more secure systems we can consider combining knowledge or 
usernames, email address, secret questions, etc.


On Wednesday, June 15, 2005, at 02:31  PM, Dave King wrote:

> Hi All-
>    I was wondering what everyone's opinion is on good password 
> recovery options for a web application.  In OWASP's penetration 
> testing document it says "Ensure that the user must respond to a 
> secret answer or secret question or other predetermined information 
> before passwords can be reset."  However Bruce Schneier and others 
> disagree, check out this blog post 
> http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html .  
> Basically he says these secret questions drastically lessen security 
> because it's easier to guess the answer to the secret question than it 
> is to guess the password.  Does anyone have any opinion on this or 
> have found another solution that works well?
> Thanks,
> Dave King

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list