This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:Forgot Password Cheat Sheet

From OWASP
Revision as of 05:18, 14 September 2017 by Devalias (talk | contribs)

Jump to: navigation, search

Secret Questions

Should we really be suggesting secret questions/answers in 2017? It's sort of a terrible mechanism, that largely provides little additional security benefit. There are much better options, notably 2FA.

- Glenn 'devalias' Grant (Sept 14, 2017)

Logging

I'm surprised to see that logging isn't a consideration in password reset functionality. Knowing that users attempted a password reset, whether the reset was successful or failed, recording details of reset sessions including IP address and other details would all seem like great suggestions.

More on Logging

I think adding logging info like you described is a good idea. Go ahead and add it in!

- Jim Manico Sept 2, 2015

Retrieved from "https://wiki.owasp.org/index.php?title=Talk:Forgot_Password_Cheat_Sheet&oldid=233298"