[WEB SECURITY] Password Reset

Bil Corry bil at corry.biz
Sat May 29 02:40:42 EDT 2010

Jim Manico wrote on 5/28/2010 2:12 PM: 
>>  If there's already a process in place to handle accounts that are
> locked out, why not just leverage that process to reset the account?
> Cause that process is call center based. An automated process would
> reduce that call volume. So far, most proposals are less secure than the
> actual authentication layer.

FWIW, Schneier argues that password resets should work just like that: a difficult process for the very reason you mentioned:


You might find this paper interesting:


- Bil

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list