[WEB SECURITY] Password Reset

Arian J. Evans arian.evans at anachronic.com
Tue May 25 20:53:18 EDT 2010


Also Jim - I should have added earlier - but one of my financial
institutions uses pictures for account reset with their questions.

Personally I find them cute, and easy to remember. I always go for the
pictures of the motorcycles - they catch my eye and super easy for me
to remember which one I picked.

Maybe a modern solution like this would work for you too?

If you can't build it secure - might as well make it fun!

Looks like some folks have suggested using public-record data like
DOB. That stuff is always fun too!

--
Arian Evans


On Tue, May 25, 2010 at 5:09 PM,  <neza0x at gmail.com> wrote:
> Not to much to do with those restrictions. Hopefully, this is not a
> sensitive system, otherwise I will go for sms cell messages validation.
>
> 1. Enforce account locked out for username too.
> 2. Use captcha
> 3. Security questions should be tied to PII info instead of simple questions
> like "color of your first car". You could ask for last for digits of your
> license, social or employee id. This works for home grown applications and
> requires other controls like encryption to safely storage of sensitive
> answers.
>
> All depends on the sensitivity of the system you are trying to protect.
>
> Hope this helps.
>
> Sent via BlackBerry from Danux Network
>
> ________________________________
> From: Jim Manico <jim at manico.net>
> Date: Tue, 25 May 2010 15:07:38 -0700
> To: 'Webappsec Group'<websecurity at webappsec.org>
> Subject: [WEB SECURITY] Password Reset
> Hey Folks,
>
> I have a hard requirement to build a password reset feature that does not
> include an emailed link or cell phone account verification. I'm thinking:
>
> 1) Enter your username
> 2) Answer a pre-set security question
>   2a) Ensure the security question answer is at least as strong as the
> current password policy (ouch - this might radically limit usability)
> 3) Enforce account lockout around security question failure
>
> I still don't like it - which is why I'm spamming you. :) Any thoughts?
>
> Aloha,
> Jim
>
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list