
The Problem with Every Implementation of a "Forgot Your Password?" Feature - Anon84
http://www.25hoursaday.com/weblog/2008/09/19/TheProblemWithEveryImplementationOfAForgotYourPasswordFeatureIveSeenOnline.aspx
======
wallflower
Bruce Schneier came up with a solution for the weak link of security
questions. Read it and update your answers for your web accounts.

[http://www.schneier.com/blog/archives/2005/02/the_curse_of_t...](http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html)

~~~
mleonhard
But his "solution" is to stop using security questions and passwords. That
doesn't sound like much of a solution to me.

~~~
albertcardona
Bruce mentions : "Passwords have reached the end of their useful life. Today,
they only work for low-security applications. The secret question is just one
manifestation of that fact."

I guess he means we all ought to be using encrypted key pairs and the like
instead, or some other system not involving anything as guessable as a text
word.

------
felideon
This has always been pretty evident to me ever since I opened a Hotmail
account 10 years ago. I always pick either questions only I really know the
answer to or choose answers that are slightly misleading.

The only downfall is that sometimes I forget the answers, but I eventually get
them right. :)

~~~
qwph
I pick an arbitrary question, and treat the answer like a second password.

eg: what is your pet's name? qw9er8rty

~~~
OneSeventeen
I read a tip, I don't remember where anymore sadly, about taking a key word
from the question, adding some password-like string to it and calling that
your answer.

So: "What is your pet's name?" n0tm4hp4s5w3rd-pets-name and: "What street did
you grow up on?" n0tm4hp4s5w3rd-street

You still have to remember an arbitrary string, it is SLIGHTLY more accessible
than mashing randomly, and certainly more secure than putting the real answer.

------
boredguy8
There's an easy solution: "Your password reset information has been sent to
the e-mail account used to register the account. Follow the instructions in
the e-mail to restore access."

~~~
nuclear_eclipse
What if that site is hosting your first and only email account?

~~~
boredguy8
At some point users are responsible for their password info. If it's their
only e-mail account, hopefully they use it regularly enough that they don't
forget.

------
ComputerGuru
Password Reset is one of the best reasons to embrace OpenID. While there are
many lesser reasons and even some _against_ using it, the weakness of password
resets (as demonstrated in the Palin email crack) scream for the adoption of
some sort of decentralized, user-in-control authentication mechanism. When you
only have one password and you use it everywhere, you have no reason
whatsoever to lose it, and therefore no reason to need a silly password reset
feature.

~~~
woodsier
On the same token, if your password were to ever get in the wrong hands, you'd
be pretty much fucked, no?

Keyloggers, seeing the password written down somewhere visible, or even having
someone convince you to tell them the password (social hacking) are all very
simple ways to get access to someone's account. These are all pretty stock-
standard ways to get a standard web users password.

It's kind of like moving all your money from different dodgy international
banks to one bank, and then having that bank robbed.

------
streety
This isn't exactly 'The problem' but it certainly is 'A major problem'. I was
expecting 'The problem' to be password resets being sent to email accounts.

We're always going to have to compromise between security and convenience.
Someone in the public eye should probably have been well over towards security
already. It will be interesting over the next few years to see how big an
effect this has on the average member of the public.

~~~
babyshake
This is actually a really, really big problem if you talk to most internet
users. Account recovery ranks as one of the bigger pain points, because most
people aren't used to quickly switching between tabs, copying and pasting,
etc.

I have a feeling that we've yet to see the best practices for account recovery
emerge.

