Forgot Password Best Practices v2

I just finished an update of my white paper that describes best practices for creating a secure "forgot password" feature. There are two important additions to the paper.

• A section to describe an extra step that can be taken to provide even more protection. This step involves using email as an out-of-band communication channel.
• A paragraph to explain that the recommendations may not be feasible for all web sites. The concepts presented in the paper are most relevant for organizations that have a business relationship with users.

I also dumped of "Billy Bob" as the name of the hypothetical user in favor of "Joe". I grew tired of the campy name and don't want to imply that users are stupid or unsophisticated, even though some could perhaps accurately be characterized in that way.

Discover Card Subterfuge?

I've had a Discover Card for about 18 years. My account number never changed in all those years. Suddenly out of the blue, with my card expiration date many years in the future, I got a message from Discover politely informing me that I would be getting a new card with a different account number. Hmm, that's strange. The reason? I was told it's because of a "systems upgrade" giving me great benefits like "enhanced security monitoring" (see screen shot below).

I don't buy it. It's heavy on spin and doesn't pass the smell test. How does changing 12 digits in my account number (all Discover Cards start with "6011") enable such great new capabilities? I guess Discover wants me to believe that they don't have the technological know-how to transfer my existing account data into their new, powerful system. A more likely reason is that my account number was part of a data breach, and Discover decided to issue new cards to fend off any potential fraud for which they would be liable.