Home > Ask the Security Experts > Questions & Answers > Recovering lost passwords
Ask The Security Expert: Questions & Answers
EMAIL THIS

Recovering lost passwords

Frederick Avolio EXPERT RESPONSE FROM: Frederick Avolio

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 10 April 2001
How do you recommend an ASP enable customers to recover lost passwords? Letting them request their password by e-mail is vulnerable to sniffing. Letting them request their password by phone with "safeword" is vulnerable to social engineering. Any sage advice?

>
The eternal usability/security tension. The easiest is the "mother's maiden name" level of security. . . which is fairly poor security for many applications, but fine for very low risk ones.

In general, not knowing anything else, I suggest a moving scale:

High security -- No recovery. User has to re-register.

Medium security -- User encrypts passphrase on floppy keyed for local security officer. Stores in user's desk. Goes to security officer to decrypt when forgets. Floppy can be examined to ensure owned by individual.

Low security -- Combination of info gleaned during registration on secure connection (any two randomly asked questions: favorite pet's name, last four digits of SSN, mother's maiden name, etc.). Can be over SSL connection.

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Find Security Solutions for Your Business
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts