[WEB SECURITY] Password Reset

Mike Fratto mfratto at gmail.com
Wed May 26 09:53:44 EDT 2010


‡Paul, are you serious? You really collect and use a SS#? And how do
you protect that?

On Tue, May 25, 2010 at 6:32 PM, Paul Schmehl <pschmehl_lists at tx.rr.com> wrote:
> --On Tuesday, May 25, 2010 15:07:38 -0700 Jim Manico <jim at manico.net> wrote:
>
>> Hey Folks,
>>
>> I have a hard requirement to build a password reset feature that does not
>> include an emailed link or cell phone account verification. I'm thinking:
>>
>> 1) Enter your username
>> 2) Answer a pre-set security question
>>  2a) Ensure the security question answer is at least as strong as the
>> current password policy (ouch - this might radically limit usability)
>> 3) Enforce account lockout around security question failure
>>
>> I still don't like it - which is why I'm spamming you. :) Any thoughts?
>>
>
> We use id (or SS#) and birthdate plus three questions chosen randomly from a
> list of ten possible at account initiation.
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list