Many forgotten password reset systems work on the basis that a user has to provide the answers to a set of security “challenge” questions that they have supplied at some previous time; if they provide the correct responses they can go ahead and reset their password. You may have invested time and money educating your users on the importance of choosing passwords that nobody else can guess and of not writing the password down on a Post-it note and sticking it on their screen. You may have deployed password policies that require a high degree of password complexity and enforce frequent password changes. But can you be sure that users are providing suitably secure responses to their challenge questions? If not, you might as well forget all your super high security password strategies and set everyone’s password to “password”!
With the inescapable rise of social networking it’s becoming easier for hackers to discover personal information like a person’s date of bir
So how do you implement a secure forgotten password reset service? My view is that you can never guarantee that your system will be 100% secure but you can take steps to minimise risks. If you think about it, that’s probably true of all IT security systems, not just those built to manage forgotten password resets.
One way to decrease the risk is to insist that users who have forgotten their passwords must answer more than one security question. Each extra question you ask decreases the probability that a hacker can guess all the required responses. So why not go ahead and insist on forcing the user to provide 15 correct responses to security questions before they can reset their password? Well, apart from annoying the user and taking up more of their precious time, this strategy also greatly increases the probability that users will not be able to answer the full set of questions as they may have forgotten some of the answers they originally provided; they will then just phone the helpdesk and that defeats the object of the exercise. You probably need to think about exactly how many questions you will require users to answer before being able to reset their password but an absolute minimum of three is advised. Some systems allow you to require that the user initially sets up a number of security questions but only presents them with a random selection of these when they forget their password. This is good practice; it means a potential hacker doesn’t necessarily know which information they need in advance. If your system allows, limit the number of incorrect password reset attempts before user is locked out of the service; this may lock out some genuine reset attempts if the user has forgotten or mistyped their challenge responses but it does help to weed out hacking attempts.
So it seems there is a trade-off between security and usability, but there are ways to increase the likelihood that a user will be able to provide the correct responses. You can’t improve the user’s memory but you can help them to provide less ambiguous answers by phrasing the question in a more specific way. For example, if you ask them the name of their best friend at school they might provide the full name of this person when first setting up the security responses. When they forget their password they might not remember how they first answered the question and may type in just the forename of the person and wonder why they get an incorrect response error message. Or they might be thinking of a different school they attended than the one they were first thinking of. There’s no point relieving the helpdesk of calls relating to forgotten passwords if it means they are bombarded by calls relating to forgotten challenge responses. So be more specific: “What is the first name of your best friend at the first school you attended?” This is something they should know the answer to and something they should be able to answer the same way every time. Of course, it’s possible that somebody else may know or guess this information, but combine it with a few other similarly specific questions and you will greatly increase the security of your forgotten password reset system and ensure that it’s actually useable.
Some systems give you the option to allow users to set their own challenge questions. This would be great if you could guarantee that your users always choose sensible questions. In my opinion it’s asking for trouble and to be avoided at all costs. Do you really want people to able to base their password security on the answers to questions like “What is my name?”, “What is the capital of Italy?” or even “What am I having for dinner tonight?” Some may choose questions with yes/no answers like “Do I like Chinese food?” If you think it unlikely that this will happen you are probably underestimating your users’ understanding of password security concepts. Just don’t go there!
In summary, by carefully choosing challenge questions that require specific responses which are both memorable to the user and difficult for anyone else to determine or guess, and by using a combination of several mandatory questions you can greatly improve the security of your forgotten password reset system while reducing the strain on your helpdesk and decreasing user downtime.
Richard James - Writer for Salford Software, the IT services specialists
