Friday, March 27, 2009

Forgot Password Best Practices v2

I just finished an update of my white paper that describes best practices for creating a secure "forgot password" feature. There are two important additions to the paper.

  • A section to describe an extra step that can be taken to provide even more protection. This step involves using email as an out-of-band communication channel.
  • A paragraph to explain that the recommendations may not be feasible for all web sites. The concepts presented in the paper are most relevant for organizations that have a business relationship with users.
I also dumped of "Billy Bob" as the name of the hypothetical user in favor of "Joe". I grew tired of the campy name and don't want to imply that users are stupid or unsophisticated, even though some could perhaps accurately be characterized in that way.


Philip Wolfe 7/08/2009 1:25 PM  

I disagree with your recommendation for the password salt. By using the username or userid, they become locked and can never change over the life of the password.

I recommend a cryptographically random set of bytes be generated for each password. The length of bytes may or may not be the same length depending on how the database stores them. This idea can also apply to the secret answers.

Dave Ferguson 8/26/2009 3:54 PM  

The white paper says "consider" it, not "recommend". If your business case is to allow users to change their username, then of course, you should not use it for a salt. Many applications do not allow username changes after account creation.

HS,  12/06/2009 8:17 PM  

Excellent article. Exactly the thing I was looking for.

mikato 4/20/2011 11:54 AM  

Shoot, I can't download the PDF.

  © Blogger templates The Professional Template by 2008

Back to TOP