Hello, welcome to the Tuesday, October 4th, 2016 edition of the Sandtonet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Honolulu, Hawaii.

Just wrote up a quick diary with some ideas that I keep kicking around regarding password resets. Password reset is really one of those difficult questions.

A lot of sites are struggling with really finding the right trade-off

between making it not too inconvenient to the user, not too expensive to the website,

and overall just work for the user.

Now the idea that I've seen implemented a couple times, it's not my idea, but I think it's a pretty good thing.

I don't hear a lot of talk about it is what I call password buddies, essentially where you designate family members, colleagues, maybe you're a boss in sort of a corporate environment

that will have to approve your password reset.

So you're not giving them your password.

What you do is you go through the password reset as before pretty much, but then your account is locked.

And now your boss or colleague, family member, I call them password buddies, then has to

unlock your account.

I think it works pretty well because these are usually people that know you well, so they'll

have much easier time authenticating you.

Maybe you can walk over to them and do it in person than,

for example, an anonymous help desk. Big help desk and using them for password resets

almost never works well because in the end this really comes down to them asking you a couple

questions, essentially password reset questions,

and they tend to be social engineerable because they don't really know you,

so they have to essentially the exact same thing that you could do with the website itself.

Let me know what you think and if you have any suggestions on what else to do, just leave a comment please.

And in the latest version of iOS, Apple, implement a new feature where if you send a URL to a user,

...