Implementing password resets

David Shpritz from the Securabit podcast wrote a short paper aimed at developers on how to build secure password reset functionality.


  • Always email a password reset link as another means to verify identity
  • Consider use of SMS message for out of band identification (assuming you have Cell # previously stored)
  • Secret questions are tricky — personally I say avoid using them
  • Never report incorrect username/email error messages on your password lookup page (this allows attackers to harvest emails and determine valid usernames)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s