[WEB SECURITY] Password Reset

Jim Manico jim at manico.net
Tue May 25 20:57:51 EDT 2010


Arian,

I only back your proposed solution below if you add Mike Baileys "/Are 
you who you say you are?/" checkbox. Defense in depth, right?

- Jim

PS: That was very sarcastic.
> Also Jim - I should have added earlier - but one of my financial
> institutions uses pictures for account reset with their questions.
>
> Personally I find them cute, and easy to remember. I always go for the
> pictures of the motorcycles - they catch my eye and super easy for me
> to remember which one I picked.
>
> Maybe a modern solution like this would work for you too?
>
> If you can't build it secure - might as well make it fun!
>
> Looks like some folks have suggested using public-record data like
> DOB. That stuff is always fun too!
>
> --
> Arian Evans
>
>
> On Tue, May 25, 2010 at 5:09 PM,<neza0x at gmail.com>  wrote:
>    
>> Not to much to do with those restrictions. Hopefully, this is not a
>> sensitive system, otherwise I will go for sms cell messages validation.
>>
>> 1. Enforce account locked out for username too.
>> 2. Use captcha
>> 3. Security questions should be tied to PII info instead of simple questions
>> like "color of your first car". You could ask for last for digits of your
>> license, social or employee id. This works for home grown applications and
>> requires other controls like encryption to safely storage of sensitive
>> answers.
>>
>> All depends on the sensitivity of the system you are trying to protect.
>>
>> Hope this helps.
>>
>> Sent via BlackBerry from Danux Network
>>
>> ________________________________
>> From: Jim Manico<jim at manico.net>
>> Date: Tue, 25 May 2010 15:07:38 -0700
>> To: 'Webappsec Group'<websecurity at webappsec.org>
>> Subject: [WEB SECURITY] Password Reset
>> Hey Folks,
>>
>> I have a hard requirement to build a password reset feature that does not
>> include an emailed link or cell phone account verification. I'm thinking:
>>
>> 1) Enter your username
>> 2) Answer a pre-set security question
>>    2a) Ensure the security question answer is at least as strong as the
>> current password policy (ouch - this might radically limit usability)
>> 3) Enforce account lockout around security question failure
>>
>> I still don't like it - which is why I'm spamming you. :) Any thoughts?
>>
>> Aloha,
>> Jim
>>
>>
>>
>>      

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100525/07c39e5e/attachment.html>


More information about the websecurity mailing list