Comments on: Forgotten password

By: Anonymous

Anonymous — Fri, 30 Nov 2007 19:45:35 +0000

How secure is any of the above anyway?
When sending hashes/passwords through email, which is totally insecure as email is sent in plain text and thus can be sniffed.

By: Gareth Heyes

Gareth Heyes — Wed, 02 May 2007 10:30:18 +0000

@shapcy
Thanks for the translation

@patmoore
A password hint is a bad idea because it gives the attacker information that they shouldn’t have. I decided to use the username and email combination but you don’t have to…my goal was to point out the security and usability balance and let you decide for yourself how far you want to take it.

By: patmoore

patmoore — Tue, 01 May 2007 20:46:45 +0000

So now you are going to make someone remember both a username and a password?

There are going to be 3 possible outcomes to this depending on how valuable the site in question is:

1) fewer people will register (and/or return) because they will not remember their username/password combination.

2) You will need a method to have someone be told what their username is given their email address.

3) People will just start writing the username/password on pieces of paper that others will pick up and can use.

Rather than do this — think about the idea of a password hint that the user is allowed to create.

Also consider this if the attacker has access to the email account that the reset password link was sent to. The victim has lots of other issues as well.

I guess bottomline I think you are taking the security question in the wrong direction. (unless of course you are working for a bank)

By: shapcy

shapcy — Tue, 01 May 2007 16:06:10 +0000

“This isn’t easy because it is a balance of ease of use and security, getting them both spot on is a real challenge.”

This explains the our problem clearly. It is a balance problem. We should choose the best strategy for our application: more usability,more security or more balanced system.

I translated this little article to Turkish and published in my blog.

Forgetten Password - In Turkish

Regards,
Mustafa Şapçılı

By: Gareth Heyes

Gareth Heyes — Tue, 01 May 2007 08:20:19 +0000

I agree it is a usability problem and what I said in the article “This isn’t easy because it is a balance of ease of use and security, getting them both spot on is a real challenge.” is exactly what we are taking about.

Any suggestions on how we can achieve this goal?

By: Jan Schneider

Jan Schneider — Mon, 30 Apr 2007 16:40:04 +0000

Actually I consider the infamous “invalid username and password” error message a usability nightmare. We are keeping dozens of user names and password with us, and every now and then I can’t login on a rarely used account. This error message doesn’t help me at all. I want to know if it was my user name that I didn’t remember correctly or if I didn’t pick the correct password of my common set.