[WEB SECURITY] Password Reset

Jim Manico jim at manico.net
Tue May 25 18:07:38 EDT 2010


Hey Folks,

I have a hard requirement to build a password reset feature that does 
*not *include an emailed link or cell phone account verification. I'm 
thinking:

1) Enter your username
2) Answer a pre-set security question
   2a) Ensure the security question answer is at least as strong as the 
current password policy (ouch - this might radically limit usability)
3) Enforce account lockout around security question failure

I still don't like it - which is why I'm spamming you. :) Any thoughts?

Aloha,
Jim


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100525/6182334a/attachment.html>


More information about the websecurity mailing list