[WEB SECURITY] Password Recovery

Ian Holsman kryton at gmail.com
Wed Jun 15 22:36:00 EDT 2005


better than standard practice is to mail a URL with a reset hash which
brings the user to a page
where he can reset his password.

On 6/16/05, Rich Salz <rsalz at datapower.com> wrote:
> > Just thinking out loud, what if the user had to provide their username and
> > answered their secret question - and only then would the password be emailed
> > to the email address that matches the account?
> 
> Isn't this standard practice?  "We mailed a password to the email address
> on file."
> 
>         /r$
> --
> Rich Salz                  Chief Security Architect
> DataPower Technology       http://www.datapower.com
> XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
> 
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 
> 


-- 
Ian at Holsman.net -- 03-9877-0909
If everything seems under control, you're not going fast enough. -
Mario Andretti

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list