I agree with your security team. The "security question" is not secure on its own: cities can be found over ip, names can be googled and nicknames of pets can be guessed.
However, you could combine both methods: first send the mail, and when the user clicks the link, ask the question. This way you would add at least a bit more security to the procedere. Also think about a lock (e.g. 12 hours) after three bad attempts to ensure bruteforcing isn't possible.
Answer from licklake on Stack ExchangeVideos
I agree with your security team. The "security question" is not secure on its own: cities can be found over ip, names can be googled and nicknames of pets can be guessed.
However, you could combine both methods: first send the mail, and when the user clicks the link, ask the question. This way you would add at least a bit more security to the procedere. Also think about a lock (e.g. 12 hours) after three bad attempts to ensure bruteforcing isn't possible.
I agree with your security team, these kind of questions are too easy to lift from social media, online research or just guesswork. It can be made a lot better then 'what is your dogs name', but its still antiquated.
Depending on your needs, in most situations I recommend an third choice. Required mobile phone number registration and SMS to the mobile phone with a verification code on password change.
Sadly, some users have the same/similar password everywhere. And what if this customer of yours have had an attacker start with taking his email account? Then finding he have an account on your product from reading his emails. Then taking over his account with your company, then .. changing the password since you email the password changing link to him/her ..
Can anyone direct me to a list of sites that allow password resets through security questions only? I would like to check my sites against those and put in unique responses for any sites I care about, as I assume (100%) that my true security question answers are available for any moderate hacker or even just an averagely persistent person.
Hi and thanks for reaching out. My name is William. I'm a Windows technical expert. I'll be happy to help you out today.
It is not possible to reset security questions. However, If you cant recall the original pw you set the device up with initially, then you will nee to create a secondary local admin account to reset the pw for your primary account. To do this, you will need to create Windows 10 boot media (on another computer) and boot from it as if you were going to install Windows, but will instead use this environment to create the new admin account. To create Windows 10 installation boot media, see this Microsoft article: https://www.microsoft.com/en-us/software-downlo...
Alternatively, if you have Windows 10 DVD, you can boot from that, too.
After booting from the boot media, go to the section "Create a New User to Save Account Files" in this guide: https://www.howtogeek.com/222262/how-to-reset-y...
Note, the above link assumes your system drive is letter D:. If the command fails, then use C: in place of D: for the copy command.
Hi and thanks for reaching out. My name is William. I'm a Windows technical expert. I'll be happy to help you out today.
It is not possible to reset security questions. However, If you cant recall the original pw you set the device up with initially, then you will nee to create a secondary local admin account to reset the pw for your primary account. To do this, you will need to create Windows 10 boot media (on another computer) and boot from it as if you were going to install Windows, but will instead use this environment to create the new admin account. To create Windows 10 installation boot media, see this Microsoft article: https://www.microsoft.com/en-us/software-downlo...
Alternatively, if you have Windows 10 DVD, you can boot from that, too.
After booting from the boot media, go to the section "Create a New User to Save Account Files" in this guide: https://www.howtogeek.com/222262/how-to-reset-y...
Note, the above link assumes your system drive is letter D:. If the command fails, then use C: in place of D: for the copy command.anks E
thanks for the quick response WilliamDZ. I will give it a try and let you know how I go. Cheers