[WEB SECURITY] Password Reset

Martin, Christopher chrismartin at corelogic.com
Wed May 26 12:07:46 EDT 2010

OK folks, you have all made my day today....lol, passwords not required, DOB, rainbow, etc....omg  hehehe  even got me to go to instant message speak.

IMHO, SMS OTP is a really good system if it is acceptable from a cost perspective. In the past I have seen other alternatives to the something along the lines of "something you have portion" of multifactor authentication, which used a simple paper card with a matrix to choose from (think it was an entrust solution). OTP is truly a good way to go for any password scheme, but from the public consumption space cost effectiveness always seems to lose.

The sitekey that bank of America uses is excellent (I believe it is part of an RSA solution), good one Arian, in combination with the personal questions. Captcha is also a must have to at least reduce the spam instance (won't stop the serious efforts but can reduce the scripted ones).

Understanding that cost may be a consideration and not knowing the scope of sources (consumers, enterprise, partners) or sensitivity of the data, we don't know cost, but can at least start with the fact that sitekeys, captcha's, personal questions, idle timeouts, smart lockouts, etc., even SMS OTP can be developed in house, by strong developers for lower cost than commercial solutions if that does become an issue.

I guess bottom line, value of what you are trying to protect will guide your direction (or should).


From: Jim Manico [mailto:jim at manico.net]
Sent: Tuesday, May 25, 2010 7:58 PM
To: Arian J. Evans
Cc: Webappsec Group
Subject: Re: [WEB SECURITY] Password Reset


I only back your proposed solution below if you add Mike Baileys "Are you who you say you are?" checkbox. Defense in depth, right?

- Jim

PS: That was very sarcastic.

Also Jim - I should have added earlier - but one of my financial

institutions uses pictures for account reset with their questions.

Personally I find them cute, and easy to remember. I always go for the

pictures of the motorcycles - they catch my eye and super easy for me

to remember which one I picked.

Maybe a modern solution like this would work for you too?

If you can't build it secure - might as well make it fun!

Looks like some folks have suggested using public-record data like

DOB. That stuff is always fun too!


Arian Evans

On Tue, May 25, 2010 at 5:09 PM,  <neza0x at gmail.com><mailto:neza0x at gmail.com> wrote:

Not to much to do with those restrictions. Hopefully, this is not a

sensitive system, otherwise I will go for sms cell messages validation.

1. Enforce account locked out for username too.

2. Use captcha

3. Security questions should be tied to PII info instead of simple questions

like "color of your first car". You could ask for last for digits of your

license, social or employee id. This works for home grown applications and

requires other controls like encryption to safely storage of sensitive


All depends on the sensitivity of the system you are trying to protect.

Hope this helps.

Sent via BlackBerry from Danux Network


From: Jim Manico <jim at manico.net><mailto:jim at manico.net>

Date: Tue, 25 May 2010 15:07:38 -0700

To: 'Webappsec Group'<websecurity at webappsec.org><mailto:websecurity at webappsec.org>

Subject: [WEB SECURITY] Password Reset

Hey Folks,

I have a hard requirement to build a password reset feature that does not

include an emailed link or cell phone account verification. I'm thinking:

1) Enter your username

2) Answer a pre-set security question

  2a) Ensure the security question answer is at least as strong as the

current password policy (ouch - this might radically limit usability)

3) Enforce account lockout around security question failure

I still don't like it - which is why I'm spamming you. :) Any thoughts?



This message may contain confidential or proprietary information intended only for the use of the 
addressee(s) named above or may contain information that is legally privileged. If you are 
not the intended addressee, or the person responsible for delivering it to the intended addressee, 
you are hereby notified that reading, disseminating, distributing or copying this message is strictly 
prohibited. If you have received this message by mistake, please immediately notify us by  
replying to the message and delete the original message and any copies immediately thereafter. 

Thank you. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100526/bc803d45/attachment.html>

More information about the websecurity mailing list