• Xythar (unregistered) in reply to M
    M:
    Couldn't password reset result in an email to the registered address containing a one-time-use secure URL (using a cryptographically secure hash or whatever). When the user receives the email and clicks the link, then they can enter their desired new password. Meets the constraints, and doesn't allow attackers to take over an account as soon as they successfully guess a secret question.

    Nice call, that's actually exactly the solution we ended up using (and we were prepared to argue for our bending of the guidelines a little). Of course, it all ended up being moot anyway, but...

  • Cbuttius (unregistered) in reply to Xythar

    The workaround is that if they are able to answer the insecurity question, you e-mail them a secret link to where they can reset their password, rather than e-mail them the password itself.

Leave a comment on “Classic WTF: Banking So Advanced”

Log In or post as a guest

Replying to comment #314632:

Log Out

« Return to Article