Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best Practices for Security Questions in Web Apps

Tags:

security

passwords

identity

I'm working on a web applications where - believe it or not- the users aren't required to provide their email address to sign up. These requirements can not change. The users will login to the system with an id and password just like any standard web site. The problem I'm facing has to do with user's that have forgotten their password. When they want to generate a new one, how do I verify their identity?

Initially, I was going to make the users choose a security question (from a list of 5) and provide an answer. If they ever entered the Forgot Password page, they would then have to enter their login id, as well as the answer to their security question. This seems slightly insecure, as the answer to these types of questions (mother's maiden name, birth town, etc.) are generally not that hard to acquire.

So here are some of my questions:

  • Are security questions the best approach to this problem?
  • If so, what are the best questions?
  • How many questions should a user be required to enter the answers for?
  • Is it necessary to put a CAPTCHA on the Forgot Password page?
  • Is it better for users to generate their own questions?

Any help/comments/literature on this matter would be greatly appreciated.

like image 625
Zakir Hemraj Avatar asked Nov 27 '25 17:11

Zakir Hemraj

1 Answers

I can't recall the location, but if you do a google search on knowledge based authentication, you'll ifnd that Q&A authentication is very weak. One significant problem is entropy (possible randomness) of potential answers and of actual answers. If you ask for a favorite color, there's really only a very small list of colors that most users will select. This might be worth 1 bit of entropy. Then, if you asked a second question, such as the city where you grew up, this might get you another bit or two of entropy (in Mexico, there's something like a 30% chance for each of 3 cities for this answer).

One estimate that I saw was that, to get equal strength to an 8 character password, you'd need about 26 questions.

That said, you might be able to do other things to contact the user. You could try sending a text message to the user, instead of an email - does the user register a phone number? You might have the user store a certificate on their computer, which they can upload along with the password reset request (you'd have to make effort to ensure this cert was tied to the computer). You might do a post-signup thing, where the user could submit an email address.

Good luck!

Sign in to Comment

Related questions

Java Plug-In launch changes in response to the recent security vulnerability
Is it safe to write connection string in web.config?
How to determine that the shell script is safe
serialization using c#
Are Exchange Online (EWS) WebCredentials passed securely?
Secure Network Communication using SSL AND JavaScript client-side encryption?
How secure is node.js and its server?
simple authentication scheme
Azure Storage, using BlobRequestOptions without CloudBlobClient
How to chmod files within a python setup.py?
Get programmatically User Roles and Permissions in SSRS 2008
Are Cookies a Security Risk?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!