This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Forgot Password Cheat Sheet"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 +
== Secret Questions ==
 +
 +
Should we really be suggesting secret questions/answers in 2017? It's sort of a terrible mechanism, that largely provides little additional security benefit. There are much better options, notably 2FA.
 +
 +
- Glenn 'devalias' Grant (Sept 14, 2017)
 +
 
== Logging ==
 
== Logging ==
  

Revision as of 05:18, 14 September 2017

Secret Questions

Should we really be suggesting secret questions/answers in 2017? It's sort of a terrible mechanism, that largely provides little additional security benefit. There are much better options, notably 2FA.

- Glenn 'devalias' Grant (Sept 14, 2017)

Logging

I'm surprised to see that logging isn't a consideration in password reset functionality. Knowing that users attempted a password reset, whether the reset was successful or failed, recording details of reset sessions including IP address and other details would all seem like great suggestions.

More on Logging

I think adding logging info like you described is a good idea. Go ahead and add it in!

- Jim Manico Sept 2, 2015