Collaborate Disseminate
I am building an web application that uses two-factor authentication.
While implementing the recovery feature, I see that most companies (eg Apple, Facebook, Github) provide a set of ~15 backup codes, which are 7-10 characte… Continue reading Why use one-time codes for two-factor authentication backups?
This question already has an answer here:
Are password complexity rules counterproductive?
7 answers
It’s not uncommon to… Continue reading Why some sites require passwords having digits and symbols? [duplicate]
My question is simple. I work in a company of 10 employees where none of our computers have passwords to login into our Windows systems. The thing is my boss doesn’t want passwords because he thinks that we have nothing to hide and also be… Continue reading What is the real danger of not putting a login password in Windows in a small company except that of allowing anyone to go physicaly on your computer?
According to Is it common practice to log rejected passwords?, I know logging rejected plain text password is a bad idea, but how about if I store the hashed form of rejected passwords? I want to have more information about t… Continue reading What are the security risks of logging the hash of rejected passwords?
At our organization, we came across some frequent incidents such as:
Reported successful password guessing attacks
Frequent password reset complaints
We started an investigation to identify the causes and the flaws in o… Continue reading How to strike a balance between password policy and practical challenges?
I just received an email from Citi saying “We’ve locked your access for 24 hours due to multiple failed login attempts.” and “If you didn’t attempt these logins, we recommend that you reset your password immediately.”
Ignori… Continue reading Is there value in changing your password after failed (malicious) login attempts?
Given that you check that a password is not a common password and not present in a db with compromised passwords, will password complexity requirements (e.g. at least 1 lowercase and 1 uppercase character and 1 special charac… Continue reading Will password complexity requirements increase or decrease security given a haveibeenpwned check?
I am using a password manager, and have optimized all my passwords so they are complex, long, and unique.
I am wondering if there are any guidelines as to if I should still change my passwords from time to time and if so, ho… Continue reading How Often Should I Change my Passwords
There are known good practices for password reset functionality from OWASP and other resources. On the other hand, I believe most of us agree that security questions are not user friendly, they either make users choose easily… Continue reading Forgot password best practice for mobile applications
I run a SaaS used by teams to collect company-related information (think something like Crashlytics). Even if the tool lets users invite their colleagues, we often find cases of individuals who created an account for their co… Continue reading Policy for regaining access to a colleague’s account