Collaborate Disseminate
Reset token contains lower case a-z, 0-9 number, there will be at maximum 5 number, at minimum there will be 0 number.
It is randomly generated.
How many possiblities do we have?
How much time does this take to brute force?
Example: x8h1w7… Continue reading How to guess 8 character long reset token [closed]
What is the best practice for changing passwords while the user is already logged in?
In my application to change the password, the user who is already logged in has to pass the current password and a new password. There is no email confir… Continue reading Best practice to change password while user is already logged in
The context is a password reset functionality. The user has requested a password reset, either via the web, or via a call to the help desk.
The proposed solution is, behind the scenes:
If Self-Service via the web – require the user to pr… Continue reading Is it safe to send an encrypted blob as a URL parameter?
I’m trying to follow the OWASP ‘Forgot Password Cheat Sheet’ recommendations for password reset functionality via email. This requires my server to generate a token. OWASP says that PHP’s random_bytes() and openssl_random_pseudo_bytes() fu… Continue reading How many bytes for password reset token? Should one take steps to hash or conceal raw CSPRNG bytes?
I recently had to reset my password for a popular instant messaging service. Unfortunately, I failed to write down the new password I picked. So I had to reset the password again. That is when I got the following message:
Please wait one … Continue reading Benefits of only allowing one password reset per day? [duplicate]
There is an existing user database that has the following columns:
userId (v4 uuid)
created timestamp
bcrypt password hash
email
I must add a password reset functionality and I cannot add any new column to the table. So my plan is to imp… Continue reading Hashing bcrypt password hash for use as a password reset token
Similar to another question about keeping an account locked, is it preferable to allow a user to reset their password while the account is locked out due to the wrong password being used too many times?
For example, their account gets lock… Continue reading Allowing a password reset if an account is locked
I just got an email from the Unsplash service telling me that someone had logged into my account via credential sniffing:
Five minutes later I get three more emails, each one notifying that a (generic) photo just uploaded to the account h… Continue reading How do sites detect credential sniffing, and what is the purpose of this attack?
Grindr, the popular dating app, had a ridiculous bug in its password-recovery flow. To make matters worse, Grindr ignored the bug for a week.
The post Troy Hunt Flags Up ‘Sensational’ Sextortion Bug in Grindr appeared first on Security Boulevard.
Continue reading Troy Hunt Flags Up ‘Sensational’ Sextortion Bug in Grindr
I have started to work on the Forgotten password feature on my website. Based on OWASP Forgot Password cheatsheet, the user should provide enough information to confirm that it is really them.
The system currently is working as follows:
T… Continue reading In forgotten password is asking user their TOTP among other details secure?