I noticed that Amazon’s password reset relies on a 6 digit numeric PIN. Doesn’t this reduce every user’s account to a 1 in 10^5~ chance of being accessed through brute force guess factoring in a few retries (requesting OTP resend)?
It seems that they put a captcha ahead of this and probably have some timeout where the OTP expires or unspecified limit when too many attempts will lock the account from further retries. But nevertheless this doesn’t seem like a very good idea to me. I think Google Apps uses 8 characters with multiple character sets (lowercase, uppercase, numeric, symbol), which seems like how I would implement something like this.
What are good best practices for implementing a similar password reset mechanism with 6 digit numeric PIN on my own web app? Or is this a bad idea?