Password Questions and Answers


I recently reset my password at PayPal's Web site. It was automated by a Web form that first challenged me to answer a couple of questions to prove my identity. One of them was, "What are the last four digits of your U.S. Social Security Number?" My first reaction was shock and outrage! How did PayPal discover my SSN? But after poking around a little bit, it turned out that when I first registered for my PayPal account (over eight years ago), I was asked to supply answers to a couple of security questions. I got to choose from a list of four questions, and apparently back then I figured that the last four digits of my SSN was something I'd remember easily, and seemed more palatable than giving away my mother's maiden name, which was one of the other choices. Ask any IT helpdesk worker, and they'll tell you that password reset is the most common ailment of users around the world. Automating password reset like PayPal does saves a lot of money.

Recall that the MembershipProvider.CreateUser method takes a question and answer. This is exactly what it's for: providing an alternative means to authenticate the user in case she misplaces her password. You may have also noticed that GetPassword and ResetPassword both take two arguments: username and answer. If a user forgets her password and wants to retrieve it or reset it, you can challenge her to answer a question the same way she answered it when she first created the account. The answer is really just an alternate password, if you think about it.

This feature is on by default for the SqlMembershipProvider, and if you rely on it, you need to make sure you get a question and answer from the user when she registers an account. The CreateUserWizard control (see Figure 5-8) will automate this for you, but it allows the user to supply any question she wants. What if, annoyed by your request, she supplies a question like, "What's two plus two?" Her account may very well be easy to compromise, or at least disrupt, if you allow an attacker to reset her password by answering this simple question. Questions like "What's my favorite color" are also bad news. How long would it take a hacker to guess the answer to that question?

Figure 5-8. The CreateUserWizard control


Don't let the CreateUserWizard control fool you into thinking that the user must supply the question; keep in mind that just like PayPal does, you also can control the questions that a user must answer. (Here's another feature request in case the ASP.NET team is reading: allow me to easily switch the Security Question text box into a drop-down list where I get to control the questions!) Of course, if you decide to be responsible for the questions, don't force the user to supply personally identifiable information like his full Social Security Number. Security and privacy are a delicate balance.

If you require questions and answers, you'll probably want to allow the user to change her question and answer if she so desires. That's what the ChangePasswordQuestionAndAnswer method is for. Note that in this case, the user must supply her password before the Membership provider will allow the question and answer to be changed. As of this writing, there's no built-in control in ASP.NET 2.0 for automating this, but such a form is trivial to create.




Essential ASP. NET 2.0
Essential ASP.NET 2.0
ISBN: 0321237706
EAN: 2147483647
Year: 2006
Pages: 104

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net