Why to Use Security Question While Implementing Forgot Password Logic ?

Question

0.00/5 (No votes)

See more:

Hello Code Project Fellows,
Happy New Year to All.

Guys, in my last interview I was asked to explain the logic of Forgot Password Page.
I simply explained them that:

1-I'd be taking a Security question & it's answer from the User while registering an Account.
2-When an User click on Forgot Password, I'd be simply asking him the Answer of Security question & after answering the Security question perfectly, I'd be sending the user the Password by Retrieving it from Database.

Now after this answer the Interviewer asked me that, since U r going to send the Password to the Personal email Account of the Registered user It's already Secure.
So what's the Need of this Security question Logic.Coz though anyone else other than Original User requesting for password then also the Password is going to Member's Personal email account which no once can access other than Original User.

Now for this question I didn't have any good strong answer.
So I request plz anyone of u answer me, what should be the perfect answer for it.

Thanks in Advance.

Posted 13-Jan-13 3:19am

P_Dash

Add a Solution

2 solutions

Solution 1

The interviewer is correct - if the software is going to generate a new password and send it to the original registers email address, then the security question is redundant, and need not be used.

Security questions are used when the web site needs to contact the user directly, not via email, or when the site is going to reveal the old password in some way. And any site which can do that is insecure and should not be visited - you should never store passwords in a way which can be reversed to re-generate the original password.

Posted 13-Jan-13 3:43am

OriginalGriff

Comments

P_Dash 13-Jan-13 11:10am

And Sir, ur answer is perfect provided program is sending the Current password to email.
But as answered below, if I'm generating a new password, then it'd be a problem.

OriginalGriff 13-Jan-13 11:29am

As I said - "any site which can do that is insecure and should not be visited - you should never store passwords in a way which can be reversed to re-generate the original password"

P_Dash 13-Jan-13 12:39pm

Thanks For Ur Suggestion Dear.
Thanks a Lot.

In Between do u have any other Idea to Implement Forget Password Logic ??

Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

PIEBALDconsult · Accepted Answer · 2013-01-13T04:35:00

Solution 2

I hope by "send the Password", he means generate a new password and send that, not the current password, which should be irretrievable.

Now answer me this... would you want others to be able to reset your passwords? Never mind that they won't get it. Would you want to get an email from CP every morning saying you had requested a new password? How about from several sites? Dozens of sites? I don't think so.

It's not strictly a security issue.

Posted 13-Jan-13 4:35am

PIEBALDconsult

Updated 13-Jan-13 4:46am

v2

Comments

P_Dash 13-Jan-13 11:09am

@PIEBALDconsult:

Dear ur point is absolutely correct.
But suppose my Program is retrieving the Current password from Database & sending that to Registered email.
Now is this Security question required ??

PIEBALDconsult 13-Jan-13 11:27am

Then it's wrong and must be fixed.

P_Dash 13-Jan-13 12:40pm

Will follow U Dear.

In Between do u have any other Idea to Implement Forget Password Logic ??

Why to Use Security Question While Implementing Forgot Password Logic ?

2 solutions

Solution 2

Solution 1

Add your solution here

Preview 0

Why to Use Security Question While Implementing Forgot Password Logic ?

2 solutions

Solution 2

Solution 1

Add your solution here

Preview 0

Existing Members

...or Join us