Posts

Showing posts from February, 2012

Secure Forgot Password Implemantion

I got a message from Mae Bualat about secure implementation of forgot password mechanism. Although, his way also sounded secure to me, I suggested him more alternatives. It's always arguable the approaches, but these are my personal arguments as per my limited knowledge.
Following is the communication between us:
Hi Mr. Nilesh Kumar,
I've come across your blog while looking for some references on the web for a secured password recovery scheme. I suppose, as a security specialist, you may have inputs to help me work on it.
Am looking for a secure password recovery implementation. The process that I am looking into is this: user will need to supply email address used on account registration then birthday, then user will need to supply new password, then the system will send a verification link to his registered email to finalize and confirm the process.But aside from this, am still currently looking for some ways to securely implement this process.
Any idea will be highly a…