I Forgot My Password

Presented at BSidesLV 2015, Aug. 5, 2015, 10:30 a.m. (25 minutes).

Users often forget their passwords, so applications often must have a password reset mechanism. There are several options for how to do it; some of them are good, most of them not so good. Generate a password and send it in an email? No. Security questions? No way. Reset passwords via a phone call? Rather not. This talk presents some really creative examples of botched password reset implementations, as well as a proven method for resetting passwords securely.


Presenters:

  • Michal Špaček
    Michal, aka spazef0rze, is an application security engineer who's on a mission to show developers how & why to write secure code, and is the discoverer of the PHP "md5(QNKCDZO)" bug. Michal has worked for small and big, local and multinational, and is currently freelancing.

Links:

Similar Presentations: