[WEB SECURITY] Password Reset
jim at manico.net
Tue May 25 18:07:38 EDT 2010
I have a hard requirement to build a password reset feature that does
*not *include an emailed link or cell phone account verification. I'm
1) Enter your username
2) Answer a pre-set security question
2a) Ensure the security question answer is at least as strong as the
current password policy (ouch - this might radically limit usability)
3) Enforce account lockout around security question failure
I still don't like it - which is why I'm spamming you. :) Any thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity