[WEB SECURITY] Password Reset

Arian J. Evans arian.evans at anachronic.com
Tue May 25 19:06:26 EDT 2010

You simply cannot make an in-band account reset feature usable and secure.

Human being are poor entropy generators and terrible entropy
retainers. (passwords, secret questions)

So you make it secure, and in the end pay more money handling the call
volume to your support center to reset passwords, and deal with a
small percentage of customer loss due to frustration.

Or you make it highly usable, and you will be hackable.

This is why OoB reset features have evolved (out of band email links,
etc.). They provide a nice balance of price/performance, keeps you
relatively secure while keeping your call cost down.

Another option is that you could move all this to "the cloud". I hear
they don't have to even use passwords in there.

Arian Evans

On Tue, May 25, 2010 at 3:07 PM, Jim Manico <jim at manico.net> wrote:
> Hey Folks,
> I have a hard requirement to build a password reset feature that does not
> include an emailed link or cell phone account verification. I'm thinking:
> 1) Enter your username
> 2) Answer a pre-set security question
>   2a) Ensure the security question answer is at least as strong as the
> current password policy (ouch - this might radically limit usability)
> 3) Enforce account lockout around security question failure
> I still don't like it - which is why I'm spamming you. :) Any thoughts?
> Aloha,
> Jim

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list