Insufficient Password Recovery

Insufficient Password Recovery occurs when a website permits an attacker to illegally obtain, change, or recover another user's password. In these cases, the information required to validate a user’s identity for password recovery is either easily guessed or can be circumvented. Password recovery systems may be compromised through the use of brute force attacks, inherent system weaknesses, or easily guessed secret questions.

Conventional website authentication methods require users to select and remember a password or passphrase. The user should be the only person who knows the password and it must be remembered precisely. However, as time passes, a user's ability to remember a password fades. The matter is further complicated when the average user visits many sites requiring different passwords. Thus, secure password recovery is an important part in servicing online users.