[WEB SECURITY] Password Reset

Andy Steingruebl steingra at gmail.com
Tue May 25 18:34:30 EDT 2010


1. See if you can use Machine-ID of some form to determine the
likelihood this is the same user
2. use geolocation for the same
3. Time of day access pattern - similar or different

Just a few ideas off the top of my head.

On Tue, May 25, 2010 at 3:07 PM, Jim Manico <jim at manico.net> wrote:
> Hey Folks,
>
> I have a hard requirement to build a password reset feature that does not
> include an emailed link or cell phone account verification. I'm thinking:
>
> 1) Enter your username
> 2) Answer a pre-set security question
>   2a) Ensure the security question answer is at least as strong as the
> current password policy (ouch - this might radically limit usability)
> 3) Enforce account lockout around security question failure
>
> I still don't like it - which is why I'm spamming you. :) Any thoughts?
>
> Aloha,
> Jim
>
>
>



-- 
Andy Steingruebl
steingra at gmail.com

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list