Weak password recovery validation refers to the case where an application permits an attacker to illegally obtain, change, or recover another user’s password. A website is considered to have insufficient password recovery when the information required to validate a user’s identity for password recovery is either easily guessed or can be circumvented. When password recovery systems are weak, they can be compromised through the use of brute force attacks, inherent system weaknesses, or easily guessed (or easily phished) secret questions.
As an example, many websites only require the user to provide their email address in combination with their home address and telephone number. This information can be easily obtained from any number of sources, and as a result, the verification information is not very secret. Further, the information can be compromised via other methods such as cross-site scripting and phishing scams.