Implementing password resets

David Shpritz from the Securabit podcast wrote a short paper aimed at developers on how to build secure password reset functionality.

Highlights:

  • Always email a password reset link as another means to verify identity
  • Consider use of SMS message for out of band identification (assuming you have Cell # previously stored)
  • Secret questions are tricky — personally I say avoid using them
  • Never report incorrect username/email error messages on your password lookup page (this allows attackers to harvest emails and determine valid usernames)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s