https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=DevaliasOWASP - User contributions [en]2026-05-03T19:02:29ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Talk:Forgot_Password_Cheat_Sheet&diff=233315Talk:Forgot Password Cheat Sheet2017-09-15T05:43:50Z<p>Devalias: </p>
<hr />
<div>== Secret Questions ==<br />
<br />
Should we really be suggesting secret questions/answers in 2017? It's sort of a terrible mechanism, that largely provides little additional security benefit. There are much better options, notably 2FA.<br />
<br />
- Glenn 'devalias' Grant (Sept 14, 2017)<br />
<br />
Glenn, please see section 3. We explicitly discuss MFA as a critical step. Many companies who do a MFA workflow consider the secret questions step to be optional.<br />
<br />
- Jim Manico (Sept 14, 2017)<br />
<br />
I know it is mentioned there, but it is mentioned as a 'do this after they fail to answer the questions', only if they fail. There is nothing in that that suggests the secret questions are/could/should be optional. I was going to refer to this as a resource for how to securely implement forgot password functionality, but I don't feel it accurately represents best practice in 2017.<br />
<br />
- Glenn 'devalias' Grant (Sept 15, 2017)</div>Devaliashttps://wiki.owasp.org/index.php?title=Talk:Forgot_Password_Cheat_Sheet&diff=233314Talk:Forgot Password Cheat Sheet2017-09-15T05:43:36Z<p>Devalias: </p>
<hr />
<div>== Secret Questions ==<br />
<br />
Should we really be suggesting secret questions/answers in 2017? It's sort of a terrible mechanism, that largely provides little additional security benefit. There are much better options, notably 2FA.<br />
<br />
- Glenn 'devalias' Grant (Sept 14, 2017)<br />
<br />
Glenn, please see section 3. We explicitly discuss MFA as a critical step. Many companies who do a MFA workflow consider the secret questions step to be optional.<br />
<br />
- Jim Manico (Sept 14, 2017)<br />
<br />
I know it is mentioned there, but it is mentioned as a 'do this after they fail to answer the questions', only if they fail. There is nothing in that that suggests the secret questions are/could/should be optional. I was going to refer to this as a resource for how to securely implement forgot password functionality, but I don't feel it accurately represents best practice in 2017.</div>Devaliashttps://wiki.owasp.org/index.php?title=Talk:Forgot_Password_Cheat_Sheet&diff=233298Talk:Forgot Password Cheat Sheet2017-09-14T05:18:42Z<p>Devalias: </p>
<hr />
<div>== Secret Questions ==<br />
<br />
Should we really be suggesting secret questions/answers in 2017? It's sort of a terrible mechanism, that largely provides little additional security benefit. There are much better options, notably 2FA.<br />
<br />
- Glenn 'devalias' Grant (Sept 14, 2017)<br />
<br />
== Logging ==<br />
<br />
I'm surprised to see that logging isn't a consideration in password reset functionality. Knowing that users attempted a password reset, whether the reset was successful or failed, recording details of reset sessions including IP address and other details would all seem like great suggestions.<br />
<br />
== More on Logging ==<br />
<br />
I think adding logging info like you described is a good idea. Go ahead and add it in!<br />
<br />
- Jim Manico Sept 2, 2015</div>Devalias