Hello Code Project Fellows,
Happy New Year to All.
Guys, in my last interview I was asked to explain the logic of Forgot Password Page.
I simply explained them that:
1-I'd be taking a Security question & it's answer from the User while registering an Account.
2-When an User click on Forgot Password, I'd be simply asking him the Answer of Security question & after answering the Security question perfectly, I'd be sending the user the Password by Retrieving it from Database.
Now after this answer the Interviewer asked me that, since U r going to send the Password to the Personal email Account of the Registered user It's already Secure.
So what's the Need of this Security question Logic.Coz though anyone else other than Original User requesting for password then also the Password is going to Member's Personal email account which no once can access other than Original User.
Now for this question I didn't have any good strong answer.
So I request plz anyone of u answer me, what should be the perfect answer for it.
Thanks in Advance.
I hope by "send the Password", he means generate a new password and send that, not the current password, which should be irretrievable.
Now answer me this... would you want others to be able to reset your passwords? Never mind that they won't get it. Would you want to get an email from CP every morning saying you had requested a new password? How about from several sites? Dozens of sites? I don't think so.
It's not strictly a security issue.
Edited 13-Jan-13 4:46am
The interviewer is correct - if the software is going to generate a new password and send it to the original registers email address, then the security question is redundant, and need not be used.
Security questions are used when the web site needs to contact the user directly, not via email, or when the site is going to reveal the old password in some way. And any site which can do that is insecure and should not be visited - you should never store passwords in a way which can be reversed to re-generate the original password.
This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)