Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: ASP.NET security
Hello Code Project Fellows,
Happy New Year to All.
 
Guys, in my last interview I was asked to explain the logic of Forgot Password Page.
I simply explained them that:
 
1-I'd be taking a Security question & it's answer from the User while registering an Account.
2-When an User click on Forgot Password, I'd be simply asking him the Answer of Security question & after answering the Security question perfectly, I'd be sending the user the Password by Retrieving it from Database.
 
Now after this answer the Interviewer asked me that, since U r going to send the Password to the Personal email Account of the Registered user It's already Secure.
So what's the Need of this Security question Logic.Coz though anyone else other than Original User requesting for password then also the Password is going to Member's Personal email account which no once can access other than Original User.
 
Now for this question I didn't have any good strong answer.
So I request plz anyone of u answer me, what should be the perfect answer for it.
 
Thanks in Advance.
Posted 13-Jan-13 3:19am
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

I hope by "send the Password", he means generate a new password and send that, not the current password, which should be irretrievable.
 
Now answer me this... would you want others to be able to reset your passwords? Never mind that they won't get it. Would you want to get an email from CP every morning saying you had requested a new password? How about from several sites? Dozens of sites? I don't think so.
 
It's not strictly a security issue.
  Permalink  
v2
Comments
Gittu Dash at 13-Jan-13 11:09am
   
@PIEBALDconsult:
 
Dear ur point is absolutely correct.
But suppose my Program is retrieving the Current password from Database & sending that to Registered email.
Now is this Security question required ??
PIEBALDconsult at 13-Jan-13 11:27am
   
Then it's wrong and must be fixed.
Gittu Dash at 13-Jan-13 12:40pm
   
Will follow U Dear.
 
In Between do u have any other Idea to Implement Forget Password Logic ??
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

The interviewer is correct - if the software is going to generate a new password and send it to the original registers email address, then the security question is redundant, and need not be used.
 
Security questions are used when the web site needs to contact the user directly, not via email, or when the site is going to reveal the old password in some way. And any site which can do that is insecure and should not be visited - you should never store passwords in a way which can be reversed to re-generate the original password.
  Permalink  
Comments
Gittu Dash at 13-Jan-13 11:10am
   
And Sir, ur answer is perfect provided program is sending the Current password to email.
But as answered below, if I'm generating a new password, then it'd be a problem.
OriginalGriff at 13-Jan-13 11:29am
   
As I said - "any site which can do that is insecure and should not be visited - you should never store passwords in a way which can be reversed to re-generate the original password"
Gittu Dash at 13-Jan-13 12:39pm
   
Thanks For Ur Suggestion Dear.
Thanks a Lot.
 
In Between do u have any other Idea to Implement Forget Password Logic ??

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 Sergey Alexandrovich Kryukov 531
1 OriginalGriff 334
2 DamithSL 235
3 Maciej Los 170
4 Bruno Sprecher 130
0 DamithSL 95
1 OriginalGriff 65
2 Gopu Raj 30
3 Mahsa Hassankashi 25
4 Raul Iloc 25


Advertise | Privacy | Mobile
Web02 | 2.8.141030.1 | Last Updated 13 Jan 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100