[WEB SECURITY] Password Reset

Paul Schmehl pschmehl_lists at tx.rr.com
Tue May 25 18:32:49 EDT 2010

--On Tuesday, May 25, 2010 15:07:38 -0700 Jim Manico <jim at manico.net> wrote:

> Hey Folks,
> I have a hard requirement to build a password reset feature that does not
> include an emailed link or cell phone account verification. I'm thinking:
> 1) Enter your username
> 2) Answer a pre-set security question
>   2a) Ensure the security question answer is at least as strong as the
> current password policy (ouch - this might radically limit usability)
> 3) Enforce account lockout around security question failure
> I still don't like it - which is why I'm spamming you. :) Any thoughts?

We use id (or SS#) and birthdate plus three questions chosen randomly from a 
list of ten possible at account initiation.

Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list