2

Wired wrote an article recently about the top tech fails of 2012 and to no surprise, the password was on the list, more specifically the way a user can retrieve their passwords.

What are some nifty alternatives to the classic "reset your password through email" method? I haven't really seen anything else implemented, and the things I have seen, aren't very friendly to the common computer user and often involve a lot of steps that get users frustrated.

Please provide some examples of sites that use alternatives! I'm interested :)

Improve this question

3 Answers 3

Reset to default
1

Authentication is made by using one of these or their combination:
1- Something you know (Text passwords like everywhere!)
2- Something you have (Tokens, Smart Cards etc )
3- Something you are (Eye's Retina, Finger Print etc) .

All these methods have their own weaknesses in their nature.
Combining them helps but it also deceases ease of use & availability.
Passwords weakness is that it can be changed without identifying the one who is doing this.
It's vulnerable in it's nature.
Of course your can combine it ie. reset password after verifying finger print or ID card, thinking to availability & normal users, it's actually useless.

Anyway, Personally i rather to answer to my security questions to reset my password, mainly because my answers are like passwords more or less, unguessable & badly typed !

Q:what was your favorite childhood cartoon?
A: h0w d0 u kn0w if i ever w@tch3d 1?

Improve this answer
4
  • Of course for someone who is 'into' security, they may have answers like that...however from what I've seen, many users choose simple questions like 'What city were you born in?' or 'What is your birthday?' The fact that these questions even exist is pretty terrible to be honest. Commented Dec 27, 2012 at 19:12
  • @JoshTerrill Couldn't agree more. May be restricting answers to a minimum length or words help a bit but the ease of use drops... Oh ! I remember now! Live.com has an excellent reset mechanism! but it's activated when you fail one time or so. it asks questions like : what was the last password remember, who did you email mostly, what was the subject of email you sent recently & so on. From what i could reverse, it ANDs all the answers. There was many beautiful mechanisms in it's architecture like comparing where are you logging in from, to what country you signed up for the account etc. Commented Dec 27, 2012 at 19:22
  • This is the kind of answer I want to see! Thanks for sharing, I'll definitely look into that! Something that I was considering included having users upload a picture from their computers upon registration, and then the picture is minimized, converted to greyscale blocks, and transformed into some kind of string. Then when you want to reset a password, you can just upload that same picture and it checks to see if it's the same... but I don't know how practical it would be/how users would react to something like this. Commented Dec 27, 2012 at 19:48
  • @JoshTerrill The only problem there is that the user must be told to keep that photo in an unaltered state to use later. Commented Dec 27, 2012 at 20:20
1

The only other common method I have run into is using a secondary communication channel, like SMS, having to call in, Twitter (!), or a secondary email account.

I have heard of the idea of having a user upload a picture and to identify a few things within the picture (faces, names, places, objects, etc.), but that, too has its downfalls.

The thing, as always, to balance secure methods with usability.

Improve this answer
0
1

It all depends on your target user base.

For example, in Finland, almost all official government computers† (especially ones used to access sensitive information) have two-factor authentication (password and an ID card). In these cases, then go ahead, use some Java applet/ActiveX/Silverlight/Flash solution to provide extra authentication using these peripherals.

In most situations, you're talking about a home user using your web application/service. Biometrics and ID cards and whatnot cannot be relied upon.

So what are the alternatives?

Along with SMS or alternative email with a security question, I suggest testing the user's knowledge of their account with a reasonable margin of error while keeping it as user-friendly as possible. It can be a multi-stage test like this:

1- Choose the friend with whom you chat the most (applies to socialnetworking sites)

2- How many times do you think you've logged in this week? (applies to almost any web service)

3- How many times have you played FarmExpert on our website? (ask about something the user has never used)

Can also be computers used by bank employees.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.