[WEB SECURITY] Password Reset

Bednar, Michael C MBEDNAR at katz.pitt.edu
Tue May 25 18:59:34 EDT 2010

What always bugged me about these kinds of reset schemes is that if you make the answer to the question sufficiently hard enough, what makes you think they'll remember the answer any more than the password? And if the question deals with personal information (that only the account holder knows -- yeah, right), what's to keep the account from getting "palined". I advise my customers to pick an answer to such questions that is not related to the questions and use it on ALL their security questions (i.e. q:"What school did you go to?" a:"rainbow", q:"What was your father's middle name?" a:"rainbow"). It does prevent someone from guessing the answers to security questions, but then if they lose control of this answer, they might as well give up the passwords on all their accounts. I don't think there's a good way to do resets without requiring positive ID of the account holder. Not always practical, I know...


-> -----Original Message-----
-> From: Jim Manico [mailto:jim at manico.net]
-> Sent: Tuesday, May 25, 2010 6:08 PM
-> To: 'Webappsec Group'
-> Subject: [WEB SECURITY] Password Reset
-> Hey Folks,
-> I have a hard requirement to build a password reset feature that does not
-> include an emailed link or cell phone account verification. I'm thinking:
-> 1) Enter your username
-> 2) Answer a pre-set security question
->   2a) Ensure the security question answer is at least as strong as the
-> current password policy (ouch - this might radically limit usability)
-> 3) Enforce account lockout around security question failure
-> I still don't like it - which is why I'm spamming you. :) Any thoughts?
-> Aloha,
-> Jim

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list