[ocdtrekkie]

Charging $100 is pretty punitive, but I've often wondered why more online services sensitive to attack don't use token credit card charges as a way to limit account duplication, increase complexity in a malicious operation, etc.

Stealing credit cards is cheap, yes, but the additional cost to using such a card on a password reset would still be a deterrent.

[quanticle]

The problem with charging people for password resets is that by making the process of resetting a password more expensive, you've now encouraged people to reuse passwords. People know when they sign up for your service that resetting a password is going to be expensive, so they'll use a password that they're sure not to forget, i.e. the password they use for everything else.

I would posit that even with this social engineering exploit, Google's two-factor SMS authentication is still more secure than charging people for password recoveries (and thus encouraging password reuse).

[_delirium]

I seem to recall there were some services that charged a one-time small fee in the late-90s / early-2000s basically for that reason. But in the past 10 years most seem to have moved to requiring a mobile phone number as the hurdle instead. The idea is that it has some of the same deterrent effect for bad actors, since coming up with a steady stream of unused mobile numbers costs a nonzero amount, but produces less sign-up friction for legitimate users.

[bredman]

IMO it's not that bad, people are used to paying locksmiths that much when locked out of houses or vehicles.

[kbar13]

that doesn't mean it's a good thing

[Alex3917]

> Charging $100 is pretty punitive

Not really, considering there is zero reason for anyone to ever lose a password assuming they are using a password manager. You could even make it free for the first few hours after the account is created or the password is changed in case the user pastes it into their password manager incorrectly.

[copperx]

And how many "normal" people do you know that use a password manager? It's 0 for me. They don't even use post-it notes, which would be an improvement over "I'll just try to remember the password, and if I can't, I'll ask someone to help me ".

[lgas]

Assuming the "someone" is the forgot password feature and not a person, this seems like a sound approach. It's basically using the site itself as a slightly clunky password manager.

[EpicEng]

>Not really, considering there is zero reason for anyone to ever lose a password assuming they are using a password manager

Oh, so in other words; a tiny fraction of the internet using public?