[WEB SECURITY] Password Reset

Bil Corry bil at corry.biz
Tue May 25 19:22:44 EDT 2010


Jim Manico wrote on 5/25/2010 3:07 PM: 
> I have a hard requirement to build a password reset feature that does
> *not *include an emailed link or cell phone account verification. I'm
> thinking:
> 
> 1) Enter your username
> 2) Answer a pre-set security question
>   2a) Ensure the security question answer is at least as strong as the
> current password policy (ouch - this might radically limit usability)
> 3) Enforce account lockout around security question failure

If there's already a process in place to handle accounts that are locked out, why not just leverage that process to reset the account?


- Bil

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list