This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Forgot Password Cheat Sheet"
| Line 1: | Line 1: | ||
| + | == Secret Questions == | ||
| + | |||
| + | Should we really be suggesting secret questions/answers in 2017? It's sort of a terrible mechanism, that largely provides little additional security benefit. There are much better options, notably 2FA. | ||
| + | |||
| + | - Glenn 'devalias' Grant (Sept 14, 2017) | ||
| + | |||
== Logging == | == Logging == | ||
Revision as of 05:18, 14 September 2017
Secret Questions
Should we really be suggesting secret questions/answers in 2017? It's sort of a terrible mechanism, that largely provides little additional security benefit. There are much better options, notably 2FA.
- Glenn 'devalias' Grant (Sept 14, 2017)
Logging
I'm surprised to see that logging isn't a consideration in password reset functionality. Knowing that users attempted a password reset, whether the reset was successful or failed, recording details of reset sessions including IP address and other details would all seem like great suggestions.
More on Logging
I think adding logging info like you described is a good idea. Go ahead and add it in!
- Jim Manico Sept 2, 2015
