-
April 9th, 2002, 07:34 PM
#1
thoughts on password recovery
i'm in the process of designing a webapp with a login with password section. i want to have a password retrieval option for user who have lost/forgotten...
so...what y'all think is the best, least insecure way to go about this...
1) answer "hint question" and display pwd in browser or secure browser
2) enter sign up email and auto email pwd...
3) ????
i know that these both have risks....but given users are going to forget...i have to deal with it...
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
-
April 9th, 2002, 07:49 PM
#2
I dont think answering hint question is good thing because many people has their questions like - What is my name or something like this so for everyone would be easy to got to their account. And people who dont have so stupid question sometimes forgot the answers (I do it really often - I give there so hard question that later I'm not sure what is the correct answer) Email - this is also not without any problems but IMO better than question. And because I have no other idea how to do that I think you should use email...
Have a nice day, sun7dots
-
April 9th, 2002, 07:54 PM
#3
Re: thoughts on password recovery
Originally posted here by zigar
i'm in the process of designing a webapp with a login with password section. i want to have a password retrieval option for user who have lost/forgotten...
so...what y'all think is the best, least insecure way to go about this...
1) answer "hint question" and display pwd in browser or secure browser
2) enter sign up email and auto email pwd...
3) ????
i know that these both have risks....but given users are going to forget...i have to deal with it...
Hard question to answer.
I think perhaps #1, with https
-
April 9th, 2002, 08:31 PM
#4
require them to use pgp. Then, when they sign up, they give you their public key. When they need their password, you send it to them encrypted, so even if someone does fool the system into sending out another users password, they still need the users private key to get it.
\"Ignorance is bliss....
but only for your enemy\"
-- souleman
-
April 9th, 2002, 08:52 PM
#5
email them anew strong password. Yeah, and using PGP is a good thing. But it shouldn't be a requirement.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
April 9th, 2002, 10:32 PM
#6
pgp would be great...except most of my users are not what you'd call tech savvy....and 30% of my users are from aol...pgp???....huh???...is that my new screen name???....pretty good popcorn???...i typed pgp in the password box and it didn't work....???
i expect i'll use the email new pwd option....i'll send them a good one...so they can know what a good one is before they log in and change it to "bob"...or "mypassword"
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
-
April 9th, 2002, 10:48 PM
#7
or may be the both, first answer "hint question" and if they answer right then send the password ( WITHOUT THE USER ID) to the mail. Also you should tell the users to not submit fake mail.
-
May 12th, 2002, 02:05 AM
#8
One other suggestion...
Limit the choices they have for their hint questions. Pick 5-10 good questions that are a little more secure than "What's my name" and then make them pick one of those and answer it. Then when they come back, all they have to do is once again pick the question and supply the correct answer. This makes it slightly harder for people trying to break the system because they have to guess which question the person picked as well as the correct answer.
-
May 12th, 2002, 02:09 AM
#9
Senior Member
DNA analysis, can't fake or hack that one. Have them mail you a tube of their blood, everyone knows how to give blood it is easy just slice wrist lay back in tub.......
-
May 12th, 2002, 02:26 AM
#10
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|