Saturday, September 11, 2010

Latest Forgot Password Best Practices Doc

A new version of my white paper entitled "Best Practices for a Secure Forgot Password Feature" is available. You can download the white paper here. No significant changes were made in terms of content, but it does have fewer pages and a more pleasing look now. The link I had given out previously is no longer valid.

The white paper was used as the basis for the OWASP Forgot Password Cheat Sheet.


Eric 4/26/2011 8:58 AM  

I think your approach was probably the weakest approach I have seen. Anyone with 8 bucks can use Siezant data to get a full makeup of another person and answer all of the seemingly personal information that you have outlined. Furthermore, suggesting websites to store your Last 4 digits of your social is a security no-no and violates PCI standards. Also if someone guesses all of the basic googled information about me, they just caused my password to be reset causing me head-aches. If email has been comprimised then everything is pretty much insecure at that point. I believe that if a user has requested that their password be reset then all of their payment info also be reset, giving the user at most just address information.

Dave Ferguson 4/26/2011 2:50 PM  

@Eric: Wow, you might want to read more carefully. There is a note in the 3rd paragraph about web apps that target the general public. Much of your feedback seems to be about those types of apps. It is not true that the paper suggests storing last 4 digits of SSN. Only that if an application already has access to that data, it is one possible data point that could be used. You made a false statement in regards to PCI. Are you a QSA? Storage of SSN has nothing to do with PCI DSS. I am speaking as a QSA and PA-QSA (look it up). Lastly, the weakness in email is more about unencrypted data in transit, and less about a compromised account.

  © Blogger templates The Professional Template by 2008

Back to TOP