WebApp Sec mailing list archives
Re: Multi-factor login authentication schemes inlcuding password recovery
From: Saqib.N.Ali () seagate com
Date: Thu, 7 Oct 2004 21:35:32 -0700
Use Captcha ( http://en.wikipedia.org/wiki/Captcha ) for both the login page and the password recovery page. This will deter any automated brute-force attacks. I have found captcha technique to be very useful in preventing brute force attacks. Thanks. Saqib Ali http://validate.sf.net steve wright <steviewr1ght () yahoo com> wrote on 10/07/2004 02:45:04 PM:
Hello! I need to design a web application that incorporates a layered password login page since I can not use client-side certificates etc for this project - but need to beef up the usual password/username scheme. Are there are good whitepapers that describes such as a web application scheme, including the registration process, where the user would need to provide a passphrase, to be used as a shared secret in the authentication process. To compliment this a secure password recovery process is also needed. Something along the lines of what many internet banks do these days with username and password then reirection to a new page with 3 random characters from your passphrase, plus a secure "forgot your password" process to go with it. Any pointers to resources which details such a scheme with some nice process flows would be highly appreciated... What I have found so far on the net described some of the above in a fragmented and incomplete manner. I have yet to find a comprehensive guide/whitepaper that does a good job of covering all aspects including mapping out the required processes... - SW _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
Current thread:
- Multi-factor login authentication schemes inlcuding password recovery steve wright (Oct 07)
- Re: Multi-factor login authentication schemes inlcuding password recovery Saqib . N . Ali (Oct 09)