[WEB SECURITY] Password Reset

Bil Corry bil at corry.biz
Sat May 29 02:40:42 EDT 2010


Jim Manico wrote on 5/28/2010 2:12 PM: 
>>  If there's already a process in place to handle accounts that are
> locked out, why not just leverage that process to reset the account?
> 
> Cause that process is call center based. An automated process would
> reduce that call volume. So far, most proposals are less secure than the
> actual authentication layer.

FWIW, Schneier argues that password resets should work just like that: a difficult process for the very reason you mentioned:

	http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html

You might find this paper interesting:

	http://www.guanotronic.com/~serge/papers/oakland09.pdf


- Bil

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list