27 May
2015
27 May
'15
1:16 a.m.
On 05/26/2015 08:44 AM, Owen DeLong wrote:
I think opt-out of password recovery choices on a line-item basis is not a bad concept.
For example, I’d want to opt out of recovery with account creation date. If anyone knows the date my gmail account was created, they most certainly aren’t me.
OTOH, recovery by receiving a token at a previously registered alternate email address seems relatively secure to me and I wouldn’t want to opt out of that.
(( many more snipped ))
I would definitely opt-out from any kind of "secret questions" that I couldn't type by myself. Many many sites still think this is a good idea. Best regards.