Users often forget their passwords, so applications often must have a password reset mechanism. There are several options for how to do it; some of them are good, most of them not so good. Generate a password and send it in an email? No. Security questions? No way. Reset passwords via a phone call? Rather not. This talk presents some really creative examples of botched password reset implementations, as well as a proven method for resetting passwords securely.
Michal, aka spazef0rze, is an application security engineer who's on a mission to show developers how & why to write secure code, and is the discoverer of the PHP "md5(QNKCDZO)" bug. Michal is currently employed at Apiary.io, and has previously worked for Skype and Slevomat.cz.