Hacker Read

mcbruiser3 · 2017-08-09 17:39:15+00:00

a) 2FA

or

b) use the "forgot my password" option every time

reply

zachrose | karma 2825 | avg karma 2.89 · | 2017-07-15 16:20:04+00:00

1) Make up a unique password on the spot. 2) Log in and forget it. 3) Reset password.

Works every time.

reply

adamdecaf | karma 248 | avg karma 2.07 · | 2011-06-24 21:12:55+00:00

What if you forget the password?

matheusmoreira | karma 22085 | avg karma 2.63 · | 2022-05-05 13:02:08

What if you forget the password?

eingaeKaiy8ujie | karma 26 | avg karma 0.39 · | 2021-03-15 16:14:25+00:00

What if you "forgot" the password?

felipemnoa | karma 2821 | avg karma 2.5 · | 2012-01-16 15:20:25

>>How would a 'forgot password' function work in this case?

You are screwed. Simple as that.

reply

accountface | karma 332 | avg karma 2.84 · | 2017-02-13 03:07:49

Or just say you forgot the password.

Techasura | karma 606 | avg karma 3.84 · | 2012-11-27 10:10:04+00:00

Basics: put a "forgot password" link please. User gets annoyed if he doesn't have a password reset option.

daave | karma 350 | avg karma 3.27 · | 2012-06-29 22:58:15+00:00

How do you deal with the user forgetting their password in this case?

to3m | karma 4399 | avg karma 2.14 · | 2016-12-19 22:30:17+00:00

Presumably something along these lines:

1. attempt to log in to target's email system

2. "I forgot my password"

3. get 2FA key via SMS

4. enter 2FA key and new password, gain access to email

5. attempt to log in to target's backup system

6. "I forgot my password"

7. get password reset key via email...

reply

cbr | karma 3404 | avg karma 3.04 · | 2013-09-13 12:15:23+00:00

This fails if the user forgets their password.

PinkPigeon | karma 135 | avg karma 1.57 · | 2021-05-28 16:42:20+00:00

I've always gone with the option to 'show password' and like you say, the 'forgot password' button sorts you out if there's an issue :)

StavrosK | karma 1 | avg karma 0.0 · | 2018-10-10 10:15:01+00:00

In my previous job, which was security-related, we had to deal with people forgetting their 2FA credentials (and many, many people forgot their credentials, even staff members). The way we did it was thus:

If you had enabled 2FA, it could be disabled/reset by calling support and adequately proving you were the owner of the account. This had to be this way, because, as I said, everyone forgot their 2FA credentials ("my phone fell in the sea and the backup codes were on it").

We also had another checkbox that said "Never, under any circumstances, reset my account. I have stored my backup codes somewhere secure that is not my phone. I understand that, if I lose access, I lose the account."

If the user checked that, then the password/2FA reset system for the admins got disabled for their account. If they lost their 2FA, nobody short of DBAs could reset their account (and DBAs knew not to).

Additionally, we had a screen where you could print a long, random, one-use key that would reset your account. It would come with a nice QR code so you could physically print it on a piece of paper and store it somewhere, and scan it if you ever forgot your 2FA/password, and it would let you access your account.

I should probably write an article about this...

reply