Insufficient Password Recovery

Insufficient password recovery occurs when the process for recovering or resetting an account's password enables an attacker to illegally obtain, change, or recover another user's password or gain unauthorized access to a user's account or password. A web site is considered to have Insufficient Password Recovery when an attacker is able to foil the recovery mechanism being used. This can happen due to recovery secrets being easy for an attacker to guess or research, brute force attacks or due to business logic flaws that allow attackers to bypass security controls in the recovery process. 

Conventional website authentication methods require users to select and remember a password or passphrase. The user should be the only person who knows the password and it must be remembered precisely. However, as time passes, a user's ability to remember a password fades. The matter is further complicated when the average user visits many sites requiring different passwords. Thus, secure password recovery is an important part in servicing online users.