[WEB SECURITY] Password Reset

Martin, Christopher chrismartin at corelogic.com
Wed May 26 15:59:15 EDT 2010

I think that this is good for the enterprise user (although probably argued to be too hard to keep track of by everyone that we try to sell it to), but not useful to consumer web applications which it sounds like might be the target audience in this thread. Finding that fine line that can be leveraged in both arenas is very hard.

From: Francisco Corella [mailto:fcorella at pomcor.com]
Sent: Wednesday, May 26, 2010 2:19 PM
To: 'Webappsec Group'; Jim Manico
Subject: Re: [WEB SECURITY] Password Reset

Hi Jim and all,

Interesting thread.

Here is a simple solution: use two passwords, an ordinary password for everyday use, and a high-entropy password used to unlock the account.  The high-entropy password is randomly generated by the application and given to the user when the account is created, and the user is asked to print it and put it in a safe or in a locked cabinet.  (This may be too much to ask from a casual user, but may be OK if the application is important enough to the user.)

I used this solution as part of an elaborate password-based authentication scheme for a Web application having user-administered multi-user application instances.  The owner of an instance had administrative privileges for creating user accounts, etc., and could delegate some administrative privileges to some of the users.  Passwords were reset by administrators, except the owner's own password, which required the use of a high-entropy password given to the owner when the instance was created.

Another feature in the scheme was a mechanism by which a user with administrative privileges could reset the password of an unprivileged user and send a temporary password to the unprivileged user in such a way that security was not compromised if an attacker intercepted the temporary password.

The password security page<http://pomcor.com/password_security.html> of the Pomcor Web site has links to two white papers that describe the scheme.

Francisco Corella

--- On Tue, 5/25/10, Jim Manico <jim at manico.net> wrote:

From: Jim Manico <jim at manico.net>
Subject: [WEB SECURITY] Password Reset
To: "'Webappsec Group'" <websecurity at webappsec.org>
Date: Tuesday, May 25, 2010, 3:07 PM
Hey Folks,

I have a hard requirement to build a password reset feature that does not include an emailed link or cell phone account verification. I'm thinking:

1) Enter your username
2) Answer a pre-set security question
  2a) Ensure the security question answer is at least as strong as the current password policy (ouch - this might radically limit usability)
3) Enforce account lockout around security question failure

I still don't like it - which is why I'm spamming you. :) Any thoughts?


This message may contain confidential or proprietary information intended only for the use of the 
addressee(s) named above or may contain information that is legally privileged. If you are 
not the intended addressee, or the person responsible for delivering it to the intended addressee, 
you are hereby notified that reading, disseminating, distributing or copying this message is strictly 
prohibited. If you have received this message by mistake, please immediately notify us by  
replying to the message and delete the original message and any copies immediately thereafter. 

Thank you. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100526/1a8aa77e/attachment.html>

More information about the websecurity mailing list