[WEB SECURITY] Password Reset

Kevin Stewart kevin.g.stewart at gmail.com
Tue May 25 18:33:41 EDT 2010

One idea:

Multiple "cognitive" questions in account registration. On password
reset, randomize across one or two of those questions. Most important,
if the user gets the question wrong, do not randomize and try another
question. Stick to that question. I'd hesitate to suggest a strict
lockout on this method, as it could create a denial of service
situation if not implemented with other controls.

Kevin Stewart

On 5/25/10, Jim Manico <jim at manico.net> wrote:
> Hey Folks,
> I have a hard requirement to build a password reset feature that does
> *not *include an emailed link or cell phone account verification. I'm
> thinking:
> 1) Enter your username
> 2) Answer a pre-set security question
>    2a) Ensure the security question answer is at least as strong as the
> current password policy (ouch - this might radically limit usability)
> 3) Enforce account lockout around security question failure
> I still don't like it - which is why I'm spamming you. :) Any thoughts?
> Aloha,
> Jim

Kevin G. Stewart

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list