Skip to main content


Showing posts from February, 2012

Secure Forgot Password Implemantion

I got a message from Mae Bualat about secure implementation of forgot password mechanism. Although, his way also sounded secure to me, I suggested him more alternatives. It's always arguable the approaches, but these are my personal arguments as per my limited knowledge. Following is the communication between us: Hi Mr. Nilesh Kumar, I've come across your blog while looking for some references on the web for a secured password recovery scheme. I suppose, as a security specialist, you may have inputs to help me work on it. Am looking for a secure password recovery implementation. The process that I am looking into is this: user will need to supply email address used on account registration then birthday, then user will need to supply new password, then the system will send a verification link to his registered email to finalize and confirm the process.But aside from this, am still currently looking for some ways to securely implement this process. Any idea will