[WEB SECURITY] Password Reset

Jeremiah Heller jeremiah at inertialbit.net
Tue May 25 18:42:51 EDT 2010


On May 25, 2010, at 3:07 PM, Jim Manico wrote:

> I have a hard requirement to build a password reset feature that does not include an emailed link or cell phone account verification. I'm thinking:
> 
> 1) Enter your username
> 2) Answer a pre-set security question
>   2a) Ensure the security question answer is at least as strong as the current password policy (ouch - this might radically limit usability)
> 3) Enforce account lockout around security question failure
> 
> I still don't like it - which is why I'm spamming you. :) Any thoughts?

i can't think of anything much different myself but to address the usability issue there could be a set of multiple questions with relatively lax answer-strength validations. then enforce account lockout if any of the given answers are wrong more than 2 or so times...
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list