This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Forgot Password Cheat Sheet"

From OWASP
Jump to: navigation, search
(Glenn is not reading :))
Line 5: Line 5:
 
- Glenn 'devalias' Grant (Sept 14, 2017)
 
- Glenn 'devalias' Grant (Sept 14, 2017)
  
== Logging ==
+
Glenn, please see section 3. We explicitly discuss MFA as a critical step. Many companies who do a MFA workflow consider the secret questions step to be optional.
  
I'm surprised to see that logging isn't a consideration in password reset functionality.  Knowing that users attempted a password reset, whether the reset was successful or failed, recording details of reset sessions including IP address and other details would all seem like great suggestions.
+
- Jim Manico (Sept 14, 2017)
 
 
== More on Logging ==
 
 
 
I think adding logging info like you described is a good idea. Go ahead and add it in!
 
 
 
- Jim Manico Sept 2, 2015
 

Revision as of 02:43, 15 September 2017

Secret Questions

Should we really be suggesting secret questions/answers in 2017? It's sort of a terrible mechanism, that largely provides little additional security benefit. There are much better options, notably 2FA.

- Glenn 'devalias' Grant (Sept 14, 2017)

Glenn, please see section 3. We explicitly discuss MFA as a critical step. Many companies who do a MFA workflow consider the secret questions step to be optional.

- Jim Manico (Sept 14, 2017)