I am using Asp.Net Forms Authentication , I am storing passwords in Hashed format and I do require a Question and Answer.My question is that what happens if a user forgets his security question's answer and his password.So without that I wont be able to generate a random password.What happens in such case , is the user left with only option to create a new account .Or should I link a table to store his question and answer in plain text and then pass the answer while resetting the password.I am sure you guys might have seen this a lot of times.How can I solve this.
Any suggestions are welcome.
Thanks
Asked
Active
Viewed 421 times
1
Priyank Patel
- 6,898
- 11
- 58
- 88
-
1You might want to ask this on [security.se] – AakashM Apr 24 '12 at 13:45
-
look into the membership class, this class can help to automate this stuff for you. for example, in one of my systems if the password is forgotten they answer their secret question and the system emails them their password – peroija Apr 24 '12 at 13:45
-
@peroija what happens if they dont know the answer also – Priyank Patel Apr 24 '12 at 13:46
-
1@AakashM I dont think so , this question is suitable for this site as well – Priyank Patel Apr 24 '12 at 13:46
-
You should read [The Definitive Guide To Forms based Website Authentication - Don't. Never ever use 'secret questions'](http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication). – Erik Philips Apr 26 '12 at 05:55
-
@ErikPhilips , thanks I will read it.thanks – Priyank Patel Apr 26 '12 at 05:59
3 Answers
1
As others have said, this question is not really a programming question, and more of a security design question and would be better answered in http://security.stackexchange.com .
That being said, if the security needs of your website are relatively low (not bank level security), I think it's sufficient to email a new password to the email address that you have on file for the user. If the user is able to authenticate with their email provider, then they have proven that they are themselves (assuming their email account hasn't been compromised). This is how many web sites operate.
Walter Stabosz
- 7,447
- 5
- 43
- 75
1
should the user not know his/her question/answer you can always have the system send an email with a link to a password recovery page. here you could ask them questions that they SHOULD know the answer to based on more senstive information that they entered when they created the account (their name, DOB, etc.)
Be warned that this should only be done if your site is nothing like a bank site and only if it is a low security site. Otherwise follow Walter's and AakashM's advice and post on the security forum.
peroija
- 1,982
- 4
- 21
- 37
0
You should look over the following link I think it will help you. http://www.asp.net/web-forms/tutorials/security/admin/recovering-and-changing-passwords-cs
Brandon
- 339
- 3
- 11