[thelist] hashing stored passwords (revisited)

[klute]

--- Gary McPherson <genyus at ingenyus.net> wrote:
> Good point, Ken. So, how about presenting the
> challenge question when
> the user returns and is forced to enter a new
> password for themselves?
> Obviously, the secret answer would be encrypted also
> and one assumes
> that if they forget that too, then that account will
> become inacessible
> without further communication with the site
> administration. 

that's what PayPal does. nothing wrong with that.

> Is it acceptable to provide a fixed security
question
> (e.g. "mother's maiden
> name") or is it more sensible to allow from a range
> of options as some
> sites do nowadays? This is a community-type site, so
> there is no
> sensitive information available beyond contact
> details and access to the
> member's personal page, so I don't want to make the
> security process too
> overbearing.
> 

i would stay away from asking for very sensitive info
such as "mother's maiden name" or "last 4 #s of your
SSN", etc. these are routinely used by banks and why
would i give this info to a small site w/o having any
assurance that it will be kept encrypted and/or the
machine the database is on is well-protected? if my
mother's maiden name is compomised, it can't be
changed but i still need to continue using it for
banking! smaller independent sites don't care about
security (they'd probably like to but don't have
resources) as much as banks or places like PayPal do. 

as for asking several security questions or letting
users choose between them, i think this should be
fine.
  
James


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com