The process by which a user can reset their account password seems open to potential abuse. As it stands, a user resets their password as follows:
-
Click "Forgot my password" on the login page
-
Enter username and click continue
-
The user is prompted to enter the answer to their security question.
-
If correctly answered, the user is then asked to reset their password from this same scree
-
If incorrectly answered, the user can continue trying until they enter the correct one. There does not appear to be any limit on incorrect attempts.
This causes concern because users' security questions are not generally as complex as their password. In this current process, any potential wrong-doer need only know the structure used for an organisation's usernames and to take a lucky guess at their security question to gain full access to their account.
What we would like to see, is a process similar to the following:
-
Click "Forgot my password" on the login page
-
Enter username and click continue
-
The user is prompted to enter the answer to their security question.
-
If correctly answered, a password reset link is emailed to the user's registered email address
-
If incorrectly answered three times in a row, the account is locked out and an email is sent to the user's registered email address.
