[WEB SECURITY] Password Reset
Arian J. Evans
arian.evans at anachronic.com
Tue May 25 20:53:18 EDT 2010
Also Jim - I should have added earlier - but one of my financial
institutions uses pictures for account reset with their questions.
Personally I find them cute, and easy to remember. I always go for the
pictures of the motorcycles - they catch my eye and super easy for me
to remember which one I picked.
Maybe a modern solution like this would work for you too?
If you can't build it secure - might as well make it fun!
Looks like some folks have suggested using public-record data like
DOB. That stuff is always fun too!
On Tue, May 25, 2010 at 5:09 PM, <neza0x at gmail.com> wrote:
> Not to much to do with those restrictions. Hopefully, this is not a
> sensitive system, otherwise I will go for sms cell messages validation.
> 1. Enforce account locked out for username too.
> 2. Use captcha
> 3. Security questions should be tied to PII info instead of simple questions
> like "color of your first car". You could ask for last for digits of your
> license, social or employee id. This works for home grown applications and
> requires other controls like encryption to safely storage of sensitive
> All depends on the sensitivity of the system you are trying to protect.
> Hope this helps.
> Sent via BlackBerry from Danux Network
> From: Jim Manico <jim at manico.net>
> Date: Tue, 25 May 2010 15:07:38 -0700
> To: 'Webappsec Group'<websecurity at webappsec.org>
> Subject: [WEB SECURITY] Password Reset
> Hey Folks,
> I have a hard requirement to build a password reset feature that does not
> include an emailed link or cell phone account verification. I'm thinking:
> 1) Enter your username
> 2) Answer a pre-set security question
> 2a) Ensure the security question answer is at least as strong as the
> current password policy (ouch - this might radically limit usability)
> 3) Enforce account lockout around security question failure
> I still don't like it - which is why I'm spamming you. :) Any thoughts?
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
More information about the websecurity