This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Forgot Password Cheat Sheet"

From OWASP
Jump to: navigation, search
m
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
 +
 +
 
== Secret Questions ==
 
== Secret Questions ==
 +
 +
I don't want to appear rude here but I thought security questions suck big time, I second Glenn here. Weren't there celebrities accounts hacked of because of well known security questions? But I need to disagree wrt to MFA/2FA: It might be the best, it is often just not an option. IMO this cheat sheet should reflect this part of a non-ideal world, too. 
 +
 +
Please keep also in mind that e.g. SMS is not really a 2nd factor when simultaneously it's being send to the same smartphone receiving a mail.
 +
 +
- Dirk 'drwetter' Wetter (Aug 2018)
  
 
Should we really be suggesting secret questions/answers in 2017? It's sort of a terrible mechanism, that largely provides little additional security benefit. There are much better options, notably 2FA.
 
Should we really be suggesting secret questions/answers in 2017? It's sort of a terrible mechanism, that largely provides little additional security benefit. There are much better options, notably 2FA.
Line 5: Line 14:
 
- Glenn 'devalias' Grant (Sept 14, 2017)
 
- Glenn 'devalias' Grant (Sept 14, 2017)
  
== Logging ==
+
Glenn, please see section 3. We explicitly discuss MFA as a critical step. Many companies who do a MFA workflow consider the secret questions step to be optional.
 
 
I'm surprised to see that logging isn't a consideration in password reset functionality. Knowing that users attempted a password reset, whether the reset was successful or failed, recording details of reset sessions including IP address and other details would all seem like great suggestions.
 
  
== More on Logging ==
+
- Jim Manico (Sept 14, 2017)
  
I think adding logging info like you described is a good idea. Go ahead and add it in!
+
I know it is mentioned there, but it is mentioned as a 'do this after they fail to answer the questions', only if they fail. There is nothing in that that suggests the secret questions are/could/should be optional. I was going to refer to this as a resource for how to securely implement forgot password functionality, but I don't feel it accurately represents best practice in 2017.
  
- Jim Manico Sept 2, 2015
+
- Glenn 'devalias' Grant (Sept 15, 2017)

Latest revision as of 09:19, 3 September 2018


Secret Questions

I don't want to appear rude here but I thought security questions suck big time, I second Glenn here. Weren't there celebrities accounts hacked of because of well known security questions? But I need to disagree wrt to MFA/2FA: It might be the best, it is often just not an option. IMO this cheat sheet should reflect this part of a non-ideal world, too.

Please keep also in mind that e.g. SMS is not really a 2nd factor when simultaneously it's being send to the same smartphone receiving a mail.

- Dirk 'drwetter' Wetter (Aug 2018)

Should we really be suggesting secret questions/answers in 2017? It's sort of a terrible mechanism, that largely provides little additional security benefit. There are much better options, notably 2FA.

- Glenn 'devalias' Grant (Sept 14, 2017)

Glenn, please see section 3. We explicitly discuss MFA as a critical step. Many companies who do a MFA workflow consider the secret questions step to be optional.

- Jim Manico (Sept 14, 2017)

I know it is mentioned there, but it is mentioned as a 'do this after they fail to answer the questions', only if they fail. There is nothing in that that suggests the secret questions are/could/should be optional. I was going to refer to this as a resource for how to securely implement forgot password functionality, but I don't feel it accurately represents best practice in 2017.

- Glenn 'devalias' Grant (Sept 15, 2017)