1

Context

We have a situation where we are allowing our users to login using either using Username & password + Memorable word OR Username & Password + answer to Security questions depending on configurable options by the client.

When user requests a password reset they are sent an email and linked back to a password reset workflow.

I fully understand that both memorable word & answers to security questions are sub-optimal solutions at best.


A couple of questions:

  1. when a user initiates a password reset should they be required to reset answers to their security questions & Memorable word as well?
  2. Given that both additional steps ( either answers to security questions or Memorable word) are actually less secure than username & password what are the merits of reseting them?
Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
Okavango
  • 415
  • 1
  • 4
  • 11

2 Answers2

2

You should send the password reset link (or code) to a predefined email address (or phone number). This is the only protection in this scenario.

So called "security questions" are not "less secure" they are totally insecure and if used incorrectly they decrease security as discussed here Do security questions subvert passwords?. The only reason to use them might be preventing bots from proceeding through password reset page.

Regarding your second question: asking users to reset them each time will likely only increase burden on your help desk, because after third password + "security question" reset users might start putting things that they cannot easily remember and will look for other ways of contacting your company.

In addition (I know you are considering this requirement only for "forgotten password" option), if you'd require users to perform too much manual processing when changing passwords, you might turn down more security-conscious users who use password managers to automatically update their passwords.

techraf
  • 9,149
  • 11
  • 44
  • 62
1

With regards to your first question, you probably should make that an option or at least query the user on which piece(s) of information they've forgotten. If they forgot their password but remember their security question then it doesn't make sense to require a new security question answer. If the user forgot both then they'll need to reset both.

You could prompt them for both pieces of info, but not require answers to both. So if a user enters a new password but not a new security question answer you will only store the new password and leave the old security question answer record alone. The user could also provide both pieces of info and in that case you update the user records for both.

Security questions don't really work well with the reset model. You can't expect them to choose a different answer for the same question so that means changing questions as well. Depending on your site, there may already be a limited number of questions, which the average user will narrow down further depending on which ones they can answer or want to use. So forcing a change with every password reset can cause new answers to be even less memorable.

Likewise, the 'memorable word' is essentially just another password. So if you reset it every time a password needs to be reset you're giving the user two new pieces of information to memorize. It goes from 'memorable' to 'a random word I was forced to come up with'.

For your second question, the only security merits of resetting the answer or word is if an attacker has obtained those pieces of info alongside a valid password. If a user realizes this theft has happened they may want to change passwords and security answers. There may be situations where this is true, but I wouldn't expect that the majority of user password resets will be associated with this type of compromise.

PwdRsch
  • 8,361
  • 1
  • 28
  • 35