The eternal usability/security tension. The easiest is the "mother's maiden name" level of security. . . which is fairly poor security for many applications, but fine for very low risk ones. In general, not knowing anything else, I suggest a moving scale: High security -- No recovery. User has to re-register. Medium security -- User encrypts passphrase on floppy keyed for local security officer. Stores in user's desk. Goes to security officer to decrypt when forgets. Floppy can be examined to ensure owned by individual. Low security -- Combination of info gleaned during registration on secure connection (any two randomly asked questions: favorite pet's name, last four digits of SSN, mother's maiden name, etc.). Can be over SSL connection.
Dig deeper on Password Management and Policy
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.