[WEB SECURITY] Password Reset

Paul Johnston paul.johnston at pentest.co.uk
Wed May 26 05:14:27 EDT 2010


How about you have your users come into the office, prove their identity
with a retina scan, fingerprints and facial recognition. As added
protection, make them enter a man trap while they do this - and if they
fail drop them into a pool of piranhas. Perhaps make them bring their
family in too. Who cares about false positives anyway? :-)

Reality is that all these schemes are a tradeoff between security and

For a moderate security system, I think some "proof of contact" is
essential - be it email, SMS or postal verification. As others have
pointed out, security questions tend to be too easy (e.g. postcode +
date of birth) or liable to be forgotten (e.g. what's your favorite
book). I see the value of the security question simply as a minor extra
step, to stop someone who's compromised an email account from being able
to compromise all the user's other accounts.

Strategically, single sign-on is the solution to this. It would make
forgetting your password a rare event, and going in person to perform a
biometric authentication would be acceptable. This is exactly what the
UK was going to have with the national ID card scheme - but the new
government have dropped it :-(


On 25/05/2010 23:07, Jim Manico wrote:
> Hey Folks,
> I have a hard requirement to build a password reset feature that does
> *not *include an emailed link or cell phone account verification. I'm
> thinking:
> 1) Enter your username
> 2) Answer a pre-set security question
>   2a) Ensure the security question answer is at least as strong as the
> current password policy (ouch - this might radically limit usability)
> 3) Enforce account lockout around security question failure
> I still don't like it - which is why I'm spamming you. :) Any thoughts?
> Aloha,
> Jim

Pentest - When a tick in the box is not enough

Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list