Tuesday, 3 August 2010

Forgotten Password Mechanisms....again

In  a previous  blog entry I gave my 2 cents worth on what to think about when handling the "Forgotten Password" mechanism in online applications.

I just came across Password Reset Survey  which does a short review of how the password reset is handled on a number of major sites*. It's worth reading, but here is the conclusion:
"There isn't a clear conclusion to draw here - sites do things differently, and in some cases have what seem to be pretty easily breakable password reset mechanisms. I'd imagine that all of these mechanisms work well enough - the cost of breakins is less than the cost of making things more secure and difficult for users. But I'd encourage people to think of ways that the password reset process could be made more secure and usable so that sites could rally around a better mechanism."
I have also mentioned the following academic paper before:
When developing your online application, you need to think about how you are going to handle the forgotten password mechanism.

*The sites reviewed are:
Google, Yahoo, Microsoft (Hotmail, Live etc), Apple, Facebook, Twitter, MySpace, LinkedIn, Amazon, Ebay, Craigslist, Paypal, Wikipedia

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

1 comment:

  1. Great post. My own experience is that although the mechanics of Entity Authentication are quite simple, the business processes that surround it (enrolment, account validation, password reset, etc) can lead to some complicated workflows, and some hidden gotchas.