[WEB SECURITY] Password Reset

Risner, Travis (Dublin) Travis.Risner at Fiserv.com
Tue May 25 23:34:44 EDT 2010

Hi Jim,

Is every user in this application independent of every other user?  Must all lockouts be permanent?

For one application with groups of users, we created rules based on the PCI-DSS guidelines: lockout for ½ hr after 6 bad attempts, admin for the user’s group could immediately unlock others in the group but not themselves, etc.  Perhaps this will spawn ideas in new directions?

I also had a financial institutution make me pick a picture from a large pool.  When I login, I have to pick my picture out of a randomly chosen subset of the larger pool, etc.

OTOH, if you go for answers to questions, please be kind to you users by making the comparisons case-insenitve and phonic.



From: Jim Manico <jim at manico.net><mailto:jim at manico.net>

Date: Tue, 25 May 2010 15:07:38 -0700

To: 'Webappsec Group'<websecurity at webappsec.org><mailto:websecurity at webappsec.org>

Subject: [WEB SECURITY] Password Reset

Hey Folks,

I have a hard requirement to build a password reset feature that does not

include an emailed link or cell phone account verification. I'm thinking:

1) Enter your username

2) Answer a pre-set security question

  2a) Ensure the security question answer is at least as strong as the

current password policy (ouch - this might radically limit usability)

3) Enforce account lockout around security question failure

I still don't like it - which is why I'm spamming you. :) Any thoughts?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100525/614ea3b4/attachment.html>

More information about the websecurity mailing list