[WEB SECURITY] Password Reset

Francisco Corella fcorella at pomcor.com
Wed May 26 15:19:13 EDT 2010

Hi Jim and all,

Interesting thread.

Here is a simple solution: use two passwords, an ordinary password for everyday use, and a high-entropy password used to unlock the account.  The high-entropy password is randomly generated by the application and given to the user when the account is created, and the user is asked to print it and put it in a safe or in a locked cabinet.  (This may be too much to ask from a casual user, but may be OK if the application is important enough to the user.)

I used this solution as part of an elaborate password-based authentication scheme for a Web application having user-administered multi-user application instances.  The owner of an instance had administrative privileges for creating user accounts, etc., and could delegate some administrative privileges to some of the users.  Passwords were reset by administrators, except the owner's own password, which required the use of a high-entropy password given to the owner when the instance was created.

Another feature in the scheme was a mechanism by which a user with administrative privileges could reset the password of an unprivileged user and send a temporary password to the unprivileged user in such a way that security was not compromised if an attacker intercepted the temporary password.

The password security page of the Pomcor Web site has links to two white papers that describe the scheme.

Francisco Corella

--- On Tue, 5/25/10, Jim Manico <jim at manico.net> wrote:

From: Jim Manico <jim at manico.net>
Subject: [WEB SECURITY] Password Reset
To: "'Webappsec Group'" <websecurity at webappsec.org>
Date: Tuesday, May 25, 2010, 3:07 PM

Hey Folks,

I have a hard requirement to build a password reset feature that does not
include an emailed link or cell phone account verification. I'm

1) Enter your username

2) Answer a pre-set security question

  2a) Ensure the security question answer is at least as strong as the
current password policy (ouch - this might radically limit usability)

3) Enforce account lockout around security question failure

I still don't like it - which is why I'm spamming you. :) Any thoughts?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100526/2a0a3282/attachment.html>

More information about the websecurity mailing list