I wanted to share this article about websites/applications’ password reset process by Troy Hunt. It has a ton of information and examples of how to securely store passwords (with encryption and 1-way hashing), what username enumeration is, what a persistent password is, the purpose of CAPTCHAs, secret questions, etc.
On Username Enumeration
Always defer to the user with a “Your username and password combination is invalid” message as opposed to explicitly confirming the existence of an identity (i.e. your username was correct but your password was incorrect).
Two Reasons Why a Password “Reminder” Email is a Bad Idea
- Unencrypted mail is an extremely insecure channel.
- You shouldn’t have access to the password anyway.
I just thought this post (and graphic below) was really detailed and informative and want to be able to reference it in the future and/or share it with others!