New here, but not to the QA world. Iíve got a question, and I ran a search and it came up with nothing so here goes:
I work for a software company which provides a secure web based (SQL) applications suite. Currently if the endusers loose or forget their password, the client end administrator has to reset it for them (this is based on a privilege level matrix).
We are looking at a system of password retrieval for the endusers either via email or on the UI itself.
Is there an industry standard for password retrieval on secure websites?
No industry standards, but typical ways of handling this are:
1. Reset password and send a confirmation code or the new password to the user via their registered email account. This is typical both for new accounts and for resets. Disadvantage, obviously, is that email tends not to be secure.
2. From the UI, make the user answer some questions that only they would know (favorite pet's name, mother's cousin's nephew's name-wait, that could be you-nevermind), then allow them to reset the password to whatever they want.
Your approach would vary depending on if site is public or intranet.
Best bet would be to consult your internal information / data security folks for best approach.