[WEB SECURITY] Password Reset

Paul Schmehl pschmehl_lists at tx.rr.com
Tue May 25 18:32:49 EDT 2010


--On Tuesday, May 25, 2010 15:07:38 -0700 Jim Manico <jim at manico.net> wrote:

> Hey Folks,
>
> I have a hard requirement to build a password reset feature that does not
> include an emailed link or cell phone account verification. I'm thinking:
>
> 1) Enter your username
> 2) Answer a pre-set security question
>   2a) Ensure the security question answer is at least as strong as the
> current password policy (ouch - this might radically limit usability)
> 3) Enforce account lockout around security question failure
>
> I still don't like it - which is why I'm spamming you. :) Any thoughts?
>

We use id (or SS#) and birthdate plus three questions chosen randomly from a 
list of ten possible at account initiation.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list