Alan Burlison wrote: > The new OpenSolaris.org membership application will start using security > questions for self-service password resets. People will be able to > pre-register a number of questions and answers, if they request a > password reset they will need to supply the answers to the questions > they previously set up.
Personally I hate sites that do this. Is there any chance of a "reset password and email the new value to the email address on record" policy instead, as several other sites use? In part, most of the questions below (and as used on other sites) are pretty clearly subject to dictionary attacks, which is not very secure. For example, for "make of first car", an attacker would presumably just need to try "Ford, Toyota, Honda, ...". Of the list below, only the "registration number of first car" really seems immune to dictionaries, and even it could be guessed in several cases by someone who knows the victim especially if, as Shawn suggested, they still have the car. If forced to choose, at least the "town/city name" questions allow someone to use a hard-to-guess local district name rather than "London". But equally, if your resume is posted somewhere online then it's easy for someone to guess where someone's first job is. PS: I guess if you email the new password rather than displaying it on screen then you get better security. But in that case the question could reduce to "Do you want your password reset and then emailed?", answer = "Yes". > ---------- > What is the first name of your oldest niece or nephew? > What is the middle name of your oldest brother or sister? > What is the middle name of your youngest child? > What is your partner's nickname? > What town or city did you meet your partner in? > What town or city did your parents meet? > What town or city was your first job in? > What town or city were you in when you first used a computer? > What was the first name of your childhood best friend? > What was the make and model of your first car? > What was the name of your first pet? > What was the name of your first school? > What was the name of your first toy animal? > What was the registration number of your first car? > What was your childhood nickname? > ---------- > _______________________________________________ website-discuss mailing list [email protected]
