[WEB SECURITY] What's the best way to maintain password history?
subin.net at gmail.com
Fri Nov 11 14:55:00 EST 2011
This is an online banking / credit card website and user id can be anything 6 to 32 chars (no spaces) but has to be a combination of alpha / numerical or special chars.
Email is is only used for notification that your email Id was looked up or password was reset ( user id is not sent in the email)It's the same as with major cards like Bofa / chase / capital one etc
They all allow to change online login id.
Like Justin said , it seemed like a bug to me too but when I look back at how other cards have implemented it , it's pretty much the same.probably because there are no standards enforcing them or password history is not given much importance...
Passwords are stored as salted hash We follow rsa two factor authentication FDIC / FFIEC and pci dss
Sent from my iPhone
On Nov 11, 2011, at 7:54 AM, "Vance, Michael" <Michael.Vance at salliemae.com> wrote:
>>> I'm looking for the best secure way to manage password
>>> history when an user resets(or creates a new) user id in
>>> a secure pci dss website.
>> It's a pretty rare website that I've seen that allows someone to
>> change their username or id once the account has been established.
> It's actually very common if the site uses e-mail address as username or if it has a "Forgot User ID" function that uses e-mail to deliver the forgotten ID. There is always the chance that the user no longer has access to the e-mail address that is on file. Though we are in a day and age where everyone *could* obtain and use a "permanent" e-mail address, they do still change when someone uses a work or school address or if they have too much spam and decide to just junk an address and create a new one.
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
More information about the websecurity