[WEB SECURITY] Password Reset

neza0x at gmail.com neza0x at gmail.com
Tue May 25 20:09:29 EDT 2010


Not to much to do with those restrictions. Hopefully, this is not a sensitive system, otherwise I will go for sms cell messages validation.

1. Enforce account locked out for username too.
2. Use captcha
3. Security questions should be tied to PII info instead of simple questions like "color of your first car". You could ask for last for digits of your license, social or employee id. This works for home grown applications and requires other controls like encryption to safely storage of sensitive answers.

All depends on the sensitivity of the system you are trying to protect.

Hope this helps.

Sent via BlackBerry from Danux Network

-----Original Message-----
From: Jim Manico <jim at manico.net>
Date: Tue, 25 May 2010 15:07:38 
To: 'Webappsec Group'<websecurity at webappsec.org>
Subject: [WEB SECURITY] Password Reset
Hey Folks,

I have a hard requirement to build a password reset feature that does 
*not *include an emailed link or cell phone account verification. I'm 
thinking:

1) Enter your username
2) Answer a pre-set security question
   2a) Ensure the security question answer is at least as strong as the 
current password policy (ouch - this might radically limit usability)
3) Enforce account lockout around security question failure

I still don't like it - which is why I'm spamming you. :) Any thoughts?

Aloha,
Jim



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100526/9be47b4a/attachment.html>


More information about the websecurity mailing list