From 3c0a8b4cad8e56b77543cc788f22ca162b21255b Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Mon, 25 Feb 2019 14:13:53 +0200
Subject: Add: Yuck requirements for password reset, temporary account locks

---
 yuck.mdwn | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/yuck.mdwn b/yuck.mdwn
index 135c6ce..08bf0ad 100644
--- a/yuck.mdwn
+++ b/yuck.mdwn
@@ -163,6 +163,13 @@ reference in discussions.
 * (PRIVACYSTORE) Yuck MUST NOT store personal information it does not
   need.
 * (PRIVACYLEAK) Yuck MUST NOT leak personal information.
+* (PWRESET) Yuck MUST support the user resetting their password,
+  securely.
+* (TEMPLOCK) Yuck MUST support locking an account temporarily, if it
+  is the target of too many failures. This is to avoid an attacker
+  from brute-forcing a password by trying many times.
+* (TEMPLOCKNOTIFY) Yuck MUST notify an account owner of temporary
+  locking, out of band.
 
 
 # Architecture: the ecosystem
-- 
cgit v1.2.1