Welcome to WebmasterWorld Guest from 54.159.52.10

Forum Moderators: incrediBILL & lawman

Message Too Old, No Replies

Reset passwords, without email verification

Need a few ideas

     

bhonda

4:28 pm on Jul 6, 2012 (gmt 0)

10+ Year Member



Has anyone ever come across a decent password reset scheme, that does not rely on an email address being emailed a password or reset link, and does not rely on the rather simple 'Mother's maiden name' security questions either?

The reason behind this is that many of our users do not have their own email address (that they use for our services anyway), and it appears as though our current way of emailing the registered email address a link by which they can reset their password, when they forget their password, isn't working too well.

Has anyone got any ideas? I'm up for something totally unconventional, if it calls for it!

rocknbil

3:29 am on Jul 7, 2012 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Multi factor validation?

Ask three questions on signup and all three must be correct to allow any account modification.

Don't make it mother's maiden, birthday, pet's name, or allow them to create their own. People are lazy and create lazy questions that will invariably make it insecure. Get creative with it, maybe even use a database of several hundred questions of which three are randomly selected at signup time so not two members have the exact same questions.

Kendo

4:50 am on Jul 7, 2012 (gmt 0)

10+ Year Member



Using 3 questions of their own choice would be better overall. Otherwise they may never get the answer. On a site for local residents we have some trick questions in the signup form like what do you see along the roadside on the way there, and most get that wrong.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month