thoughts on password recovery
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: thoughts on password recovery

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    682

    thoughts on password recovery

    i'm in the process of designing a webapp with a login with password section. i want to have a password retrieval option for user who have lost/forgotten...

    so...what y'all think is the best, least insecure way to go about this...

    1) answer "hint question" and display pwd in browser or secure browser

    2) enter sign up email and auto email pwd...

    3) ????

    i know that these both have risks....but given users are going to forget...i have to deal with it...
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    227
    I dont think answering hint question is good thing because many people has their questions like - What is my name or something like this so for everyone would be easy to got to their account. And people who dont have so stupid question sometimes forgot the answers (I do it really often - I give there so hard question that later I'm not sure what is the correct answer) Email - this is also not without any problems but IMO better than question. And because I have no other idea how to do that I think you should use email...

    Have a nice day, sun7dots
    http://promote.opera.com/small/opera94x15.gif

    [gloworange]Sun7dots[/gloworange]

  3. #3
    Senior Member
    Join Date
    Aug 2001
    Posts
    410

    Re: thoughts on password recovery

    Originally posted here by zigar
    i'm in the process of designing a webapp with a login with password section. i want to have a password retrieval option for user who have lost/forgotten...

    so...what y'all think is the best, least insecure way to go about this...

    1) answer "hint question" and display pwd in browser or secure browser

    2) enter sign up email and auto email pwd...

    3) ????

    i know that these both have risks....but given users are going to forget...i have to deal with it...
    Hard question to answer.

    I think perhaps #1, with https
    savIRC :: The Multi-Platform IRC Client v. 1.8 [Released 9.04.02]

  4. #4
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    require them to use pgp. Then, when they sign up, they give you their public key. When they need their password, you send it to them encrypted, so even if someone does fool the system into sending out another users password, they still need the users private key to get it.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  5. #5
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    email them anew strong password. Yeah, and using PGP is a good thing. But it shouldn't be a requirement.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    pgp would be great...except most of my users are not what you'd call tech savvy....and 30% of my users are from aol...pgp???....huh???...is that my new screen name???....pretty good popcorn???...i typed pgp in the password box and it didn't work....???

    i expect i'll use the email new pwd option....i'll send them a good one...so they can know what a good one is before they log in and change it to "bob"...or "mypassword"
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  7. #7
    or may be the both, first answer "hint question" and if they answer right then send the password ( WITHOUT THE USER ID) to the mail. Also you should tell the users to not submit fake mail.

  8. #8
    Senior Member
    Join Date
    Mar 2002
    Posts
    425
    One other suggestion...

    Limit the choices they have for their hint questions. Pick 5-10 good questions that are a little more secure than "What's my name" and then make them pick one of those and answer it. Then when they come back, all they have to do is once again pick the question and supply the correct answer. This makes it slightly harder for people trying to break the system because they have to guess which question the person picked as well as the correct answer.

  9. #9
    Senior Member
    Join Date
    Apr 2002
    Posts
    204
    DNA analysis, can't fake or hack that one. Have them mail you a tube of their blood, everyone knows how to give blood it is easy just slice wrist lay back in tub.......
    Beware the quiet ones...

  10. #10
    Senior Member
    Join Date
    Apr 2002
    Posts
    380
    Force them to use their social security number has hint answer

    Log that in a database for further use!

    Nah joking... I think Unleashed has the soundest idea so far...

    How many users do you think you will have? Is manual password recovery a possibility?

    Phonecall directly to you would be the best choice if you have time and will to do it...
    [shadow]Scorp666, the Infamous Orgasmatron[/shadow]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •