People say the weakest link is the user in passwords, and that's often true. But for more security conscious users the weakest link is the helpdesk. It may not even be where you expect. Plenty of people have been hacked because the hacker called the support line for their registrar, hosting, email provider, or ISP and got a password changed without any form of hard verification.
It can be extremely frustrating to do everything right and then have your knees cut off by some script reader in a cube farm somewhere.
Also, if you do email verification for accounts, whenever someone changes their email send one to the old account saying 'Hey, this is being changed, are you OK with it?" and if they say no, revert the email and reset the password on the spot.
It can be extremely frustrating to do everything right and then have your knees cut off by some script reader in a cube farm somewhere.
Also, if you do email verification for accounts, whenever someone changes their email send one to the old account saying 'Hey, this is being changed, are you OK with it?" and if they say no, revert the email and reset the password on the spot.