[WEB SECURITY] Password Reset

Gaurav Kumar gk at pivotalsecurity.com
Wed May 26 00:19:24 EDT 2010

Jim, while others have given many good ideas, I just wanted comment on
account lockouts. Account lockout feature is like a DoS vulnerability
waiting to get exploited. For example, if an application locks the account
after 5 invalid attempts for 10 minutes, what will prevent from someone
writing a script which will send 5 incorrect passwords after every 10
minutes? This will essentially lock the account forever thereby creating a
DoS on user access. This is the reason you will find applications throwing
Human Interaction Proof like captcha images when a brute force attempt is




Gaurav Kumar


From: Jim Manico [mailto:jim at manico.net] 
Sent: Tuesday, May 25, 2010 5:58 PM
To: Arian J. Evans
Cc: Webappsec Group
Subject: Re: [WEB SECURITY] Password Reset



I only back your proposed solution below if you add Mike Baileys "Are you
who you say you are?" checkbox. Defense in depth, right?

- Jim 

PS: That was very sarcastic.

Also Jim - I should have added earlier - but one of my financial
institutions uses pictures for account reset with their questions.
Personally I find them cute, and easy to remember. I always go for the
pictures of the motorcycles - they catch my eye and super easy for me
to remember which one I picked.
Maybe a modern solution like this would work for you too?
If you can't build it secure - might as well make it fun!
Looks like some folks have suggested using public-record data like
DOB. That stuff is always fun too!
Arian Evans
On Tue, May 25, 2010 at 5:09 PM,   <mailto:neza0x at gmail.com>
<neza0x at gmail.com> wrote:

Not to much to do with those restrictions. Hopefully, this is not a
sensitive system, otherwise I will go for sms cell messages validation.
1. Enforce account locked out for username too.
2. Use captcha
3. Security questions should be tied to PII info instead of simple questions
like "color of your first car". You could ask for last for digits of your
license, social or employee id. This works for home grown applications and
requires other controls like encryption to safely storage of sensitive
All depends on the sensitivity of the system you are trying to protect.
Hope this helps.
Sent via BlackBerry from Danux Network
From: Jim Manico  <mailto:jim at manico.net> <jim at manico.net>
Date: Tue, 25 May 2010 15:07:38 -0700
To: 'Webappsec Group' <mailto:websecurity at webappsec.org>
<websecurity at webappsec.org>
Subject: [WEB SECURITY] Password Reset
Hey Folks,
I have a hard requirement to build a password reset feature that does not
include an emailed link or cell phone account verification. I'm thinking:
1) Enter your username
2) Answer a pre-set security question
  2a) Ensure the security question answer is at least as strong as the
current password policy (ouch - this might radically limit usability)
3) Enforce account lockout around security question failure
I still don't like it - which is why I'm spamming you. :) Any thoughts?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100525/9178596b/attachment.html>

More information about the websecurity mailing list