[thelist] changing password design
Tony Crockford
tonyc at boldfish.co.uk
Fri Sep 12 05:11:19 CDT 2003
On Fri, 12 Sep 2003 11:51:37 +0200, Marek Kilimajer
<kilimajer at webglobe.sk> wrote:
> Tony Crockford wrote:
>
>> usual approach to this is to store another secret (or two) such as
>> pet's name, mothers maiden name etc which they are required to enter to
>> get a new password; even a user generated question and answer pair if
>> needed - what's my favorite food - brussel sprouts
>
> It is the same as using these kind of information for password. So you
> can tell the users to use it for password right away. Not very secure.
>
What is secure?
The harder you make it for me to remember my login the more likely I am to
write it down.
e.g. my bank now requires me to log-in using all of these:
account number
memorable information (1 of 3 phrases)
three random digits from my pass number
I'm going to have to write it down to see which are the random numbers!
All I meant was that if you had a second test for identity before allowing
a password change it has to be better than not having a second test?
--
http://www.xebit.net/
Sent with M2, Opera's revolutionary e-mail client:
https://secure.bmtmicro.com/opera/buy-opera.html?AID=627923
More information about the thelist
mailing list