[WEB SECURITY] Password Reset
Risner, Travis (Dublin)
Travis.Risner at Fiserv.com
Tue May 25 23:34:44 EDT 2010
Is every user in this application independent of every other user? Must all lockouts be permanent?
For one application with groups of users, we created rules based on the PCI-DSS guidelines: lockout for ½ hr after 6 bad attempts, admin for the user’s group could immediately unlock others in the group but not themselves, etc. Perhaps this will spawn ideas in new directions?
I also had a financial institutution make me pick a picture from a large pool. When I login, I have to pick my picture out of a randomly chosen subset of the larger pool, etc.
OTOH, if you go for answers to questions, please be kind to you users by making the comparisons case-insenitve and phonic.
From: Jim Manico <jim at manico.net><mailto:jim at manico.net>
Date: Tue, 25 May 2010 15:07:38 -0700
To: 'Webappsec Group'<websecurity at webappsec.org><mailto:websecurity at webappsec.org>
Subject: [WEB SECURITY] Password Reset
I have a hard requirement to build a password reset feature that does not
include an emailed link or cell phone account verification. I'm thinking:
1) Enter your username
2) Answer a pre-set security question
2a) Ensure the security question answer is at least as strong as the
current password policy (ouch - this might radically limit usability)
3) Enforce account lockout around security question failure
I still don't like it - which is why I'm spamming you. :) Any thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity