[WEB SECURITY] Password Reset

Joel Helgeson joel at helgeson.com
Thu May 27 17:08:01 EDT 2010

Best password question ever:


Where did you hide the body?


From: Jim Manico [mailto:jim at manico.net] 
Sent: Tuesday, May 25, 2010 5:08 PM
To: 'Webappsec Group'
Subject: [WEB SECURITY] Password Reset


Hey Folks,

I have a hard requirement to build a password reset feature that does not
include an emailed link or cell phone account verification. I'm thinking:

1) Enter your username
2) Answer a pre-set security question
  2a) Ensure the security question answer is at least as strong as the
current password policy (ouch - this might radically limit usability)
3) Enforce account lockout around security question failure

I still don't like it - which is why I'm spamming you. :) Any thoughts?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100527/129852d2/attachment.html>

More information about the websecurity mailing list