Security - Good Control Questions

For a site that resends lost passwords -- it asks for only usernames -- that are really email addresses.

So, it may help if a control question is put in place. Only after the user answers a "control" question (inputted earlier on) to help uniquely identify, will he or she be resent a lost password.

Here's what I have so far:

"model of first car"
"favorite restaurant"
"favorite pet"
..................
Intentionally staying away from "place of birth" since this could potentially be used to breach personal security.

Anyone have any ideas?

Why the question? Aren't you sending it to the registration email, just reset the password on request and send it to the email?
You don't need any extra security, the question thing is in the past dosen't help as much as we would like, it's the same thing as type your birthdate in order to send the password. Gives us the false conception of security and how secure our site is.

Peace

No -- the site user requesting the resent password must first answer the control question before the password is resent.

If I reset the password and resend it, any user with that email address would gain access over an account.

Many banks and credits card companies have moved over to this for security. - I can't get info on my credit card unless I give a satisfactory answer.

Captain Obvious points out that if someone has access to your e-mail account the chances that this person would also know the name of your pet are very good.

Challenge response questions do more to give the impression of security than they actually do.

I'm not saying you shouldn't implement it. Just don't think of it as any sort of security layer. It's not.

Why do I have to be the captain? hehe.


any user with access over that account... well if it is a shared email accoung they shouldn't use it for registration in the first place and security is not only our part in the business is the users side also. So putting password security tips in your page would help you and them out more than the questions.

Many banks and credit card companies think they are unbreakable with java keyboards but people have already broken the security aspects of the java keyboard and there are tools that capture the password from the java console.

Credit card numbers should be kept in a database apart from the one you have and the web shouldn't have access to it, imagine if someone breaks in, how many credit card numbers can they get?

OBS: I'm just trying to help, if you don't want to follow these tips no problem.

Peace.

You referring to choice of characters?

There's no financial risk, in terms of credit cards.

Worst case is that a user gains access over an account, by whatever means (and I agree that the secureness of email addresses are not the site operators responsibility) and is able to delete users personal data.

I've personally always hated the security questions, which include "What is your favorite pet" etc. In fact, I believe that most people just put in a garbage answer so in the end the entire purpose is defeated. If you did want to have this question system, you may want to consider giving the user the option of creating the question.

Just something you may want to keep in mind .

I don't think it's necessarily an issue that someone else who has access to the e-mail account can request the password and gain access to the account -- I think it should be a given that if someone signs up for something with a particular e-mail address, that e-mail address is the primary means of communication with that account and anyone with access to that e-mail address is likely going to have, or be able to get, access to the account. That's much more an end-user issue than a server-side issue.

But if you store your passwords encrypted, then you can't just send the password. You have to do a password reset and send the new password. And if you don't have any control questions, then any old person who comes along who wants to be annoying and troublesome can request lost password resets for anybody. If they want to be annoying and troublesome to some targeted individual, they can request a password reset multiple times, daily or even more frequently -- Causing the innocent person to receive repeated "new password" e-mails from your site, and the annoyance of having to repeatedly use a new password. It also would tend to create a perception of insecurity -- even though no one else has gained access to their account, it's clear that unknown third parties have been able to cause their password to be changed without their knowledge or approval.

That's sufficient for me to like using the control question, or some mechanism to verify that the person requesting the password reset is indeed the person who has the authority to do so.

It also helps to reduce errors through typos -- without a control question, johndoe@example.com can inadvertantly reset the password for johndo@example.com, with the result that johndoe doesn't receive his new password, and johndo accidentally gets a new password. Making them retype the email a second time can help avoid this, but how many people enter it once, then copy-and-paste into the second field? (I know I do.)

One thing I don't like about control questions is that sometimes I forget how I answered. I don't remember if I capitalized my answer originally, or included the state with my place of birth... If you do a control question, I recommend doing one that can't be a different value, such as last 4 digits of SSN or birth date or something or both. If you ask for a birthdate via drop down menus, I can't forget that I was born on 12/13. However, I can forget if I entered my dog's name with a capital letter or something.

I recommend just a form with an email address, a birth date, and the last 4 digits of a social security number (don't worry your users by collecting the whole number... just ask for the last 4 during registration and let them know it's for password retrieval purposes).

Or likewise, only allow a password to be reset every x minutes to prevent the problem you brought up. If you only allow the password to be reset once a day and someone requests it again, just print a message saying "Your password has already been reset today. Please check your inbox to make sure you received it. If not, wait a little then email us." or something like that.