Purplecon 2019 moss, choose your own adventure: password reset, https://purplecon.nz/talks#moss, https://www.youtube.com/watch?v=-gpfKW_8EJw&list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6&index=5
you build or are part of a team that has a thing on the web that does stuff for people. and those people would appreciate it if other people couldn't pretend to be them on your website doing their secret squirrel stuff. so, you decide to have people login in with a password. it'd be mighty nice of you to give people a way to recover their accounts when they misplace their passwords. password reset flows are a choose your own adventure where the players just want to be able to secret squirrel again, and if you're in charge of one let's learn about some game overs everyone would like to avoid.
- Lifecycle of password reset, from the perspective of the reset token, might reveal new ways to think
- To understand lifecycle, expiry, multiple requests, multiple reuse (especially the corporate email gateway that clicks on all links?), success and failure states.
- But don't let attackers discover your PRNG seed
- May be a good place to use a state machine :–)