Forgotten Passwords

30 Aug 2005 - 12:34pm
7 years ago
26 replies
1010 reads
Chris Ryan
2004

I've seen sites using both the "e-mail temporary password" and
"answer security question(s)" methods for resetting passwords. Does
anyone have any data on usability (or security) issues with either
one, or other (better) methods for dealing with forgotten password
problems?

Thanks,

Chris

Comments

30 Aug 2005 - 12:57pm
andersr
2005

I'm not aware of any data on this (I'm sure there is some out there)
but I don't know how valuable it would be, as selecting one or the
other of these (or a combination of the two or something completely
different) is tied to so much more than just usability, such as the
authentication technology (e.g. RSA) that may already have been chosen
and the level of your security concerns. For example, if email
addresses are used as usernames (which is pretty user-friendly but
would not be practical if, for example, your authentication technology
leverages active directory, due to the character restrictions),
emailing a temporary password might make more sense. At the same time,
a site with greater security concerns might first require responding
to a security question and then email out a temporary password. Other
solutions (depending on how the password is encoded) will send you
your actual password - more user-friendly, less secure. Another
solution is to allow users who have forgotten both username and
password is to allow them to create a new username and password (I
think capitolone.com does this.)

If you have the luxury of being able to pick whatever password
recovery solution you want, allowing the user to recover it without
having to leave the site is probably best - i.e. answer the security
question with the secret answer right on the site and get your
password right there on the page.

-Anders

30 Aug 2005 - 1:08pm
Dave Malouf
2005

On 8/30/05 1:34 PM, "Chris Ryan" <chris at redrooffs.com> wrote:

> [Please voluntarily trim replies to include only relevant quoted material.]
>
> I've seen sites using both the "e-mail temporary password" and
> "answer security question(s)" methods for resetting passwords. Does
> anyone have any data on usability (or security) issues with either
> one, or other (better) methods for dealing with forgotten password
> problems?

My usability testing data suggests that the total process is more important
than the framework you use.

That being said, the more you force a user to remember the harder it is for
them. E-mailing their password is easy as it requires them to remember
nothing. Of course you have to validate their e-mail address previously. But
this isn't too hard to do.

Where I think most systems fail is that they only offer one method, and when
that method "fails" the user is left with no other options. I have seen this
(as well as been the victim of it).

Overall, security and usability often lie in opposition to each other, and
managing security is a challenge I most despise for that very reason.

-- dave

David Heller
http://synapticburn.com/
http://ixdg.org/
Dave (at) ixdg (dot) org
Dave (at) synapticburn (dot) com
AIM: bolinhanyc || Y!: dave_ux || MSN: hippiefunk at hotmail.com

30 Aug 2005 - 1:36pm
Danna Hudson
2005

> [Please voluntarily trim replies to include only relevant quoted material.]
>
> Does anyone have any data on usability (or security) issues with either
> one, or other (better) methods for dealing with forgotten password
> problems?

Useit.com has a good read "E-Commerce User Experience: Checkout &
Registration."

Purchase it at: http://www.nngroup.com/reports/ecommerce/checkout.html

Contains an entire section on Registration, Creating Passwords, Forgotton
Passwords, etc.

--
danna hudson
information architect

the designory
211 east ocean blvd suite 100
long beach ca 90802-4850

ph 562-624-0255
fax 562-432-3518
cell 949-533-4350

danna.hudson at designory.com

On 8/30/05 11:08 AM, "David Heller" <dave at ixdg.org> wrote:

> [Please voluntarily trim replies to include only relevant quoted material.]
>
>
>
>
> On 8/30/05 1:34 PM, "Chris Ryan" <chris at redrooffs.com> wrote:
>
>> [Please voluntarily trim replies to include only relevant quoted material.]
>>
>> I've seen sites using both the "e-mail temporary password" and
>> "answer security question(s)" methods for resetting passwords. Does
>> anyone have any data on usability (or security) issues with either
>> one, or other (better) methods for dealing with forgotten password
>> problems?
>
> My usability testing data suggests that the total process is more important
> than the framework you use.
>
> That being said, the more you force a user to remember the harder it is for
> them. E-mailing their password is easy as it requires them to remember
> nothing. Of course you have to validate their e-mail address previously. But
> this isn't too hard to do.
>
> Where I think most systems fail is that they only offer one method, and when
> that method "fails" the user is left with no other options. I have seen this
> (as well as been the victim of it).
>
> Overall, security and usability often lie in opposition to each other, and
> managing security is a challenge I most despise for that very reason.
>
>
> -- dave
>
> David Heller
> http://synapticburn.com/
> http://ixdg.org/
> Dave (at) ixdg (dot) org
> Dave (at) synapticburn (dot) com
> AIM: bolinhanyc || Y!: dave_ux || MSN: hippiefunk at hotmail.com
>
>
>
> _______________________________________________
> Welcome to the Interaction Design Group!
> To post to this list ....... discuss at ixdg.org
> (Un)Subscription Options ... http://discuss.ixdg.org/
> Announcements List ......... http://subscribe-announce.ixdg.org/
> Questions .................. lists at ixdg.org
> Home ....................... http://ixdg.org/
>
>

13 Sep 2005 - 3:03pm
cfmdesigns
2004

Chris Ryan <chris at redrooffs.com> writes:

>I've seen sites using both the "e-mail temporary
>password" and "answer security question(s)"
>methods for resetting passwords. Does anyone
>have any data on usability (or security) issues
>with either one, or other (better) methods for
>dealing with forgotten password problems?

Anecdotal: my partner's mother is staying with us
this week and wanted to access her MSN.com
e-mail. She couldn't remember the password, so
we went to the "Forgot password?" page. It had
two choices: she could have it send the password
to her account (which is kind of dumb, since she
would need the password to get the message *), or
it could send it to the alternate address
attached to her account ("For just, I say, for
*just* such an emergency"), which of course she
didn't have set up (and for which she would
presumably need the password to get it set up).

MSN help to the rescue. it said we could set up
the alternate from outside the account by going
to the main My MSN page (convenient link
supplied) and click the "Credentials" link, which
would presumably ask you the secret question or
whatever. ExceptŠ the link went to the main
MSN.com page, which -- you guessed it -- has no
"Credentials" link.

Sorry, Janell. SOL.

(* - I acknowledge that there may be times you
need the
saved-on-your-computer-so-you-don't-need-to-remember-it
password sent to you while you're in your account
already. But it sure seemed braindead at the
time.)
--

----------------------
Jim Drew jdrew at adobe.com
Bridge QE

13 Sep 2005 - 3:25pm
Peter Bagnall
2003

On 13 Sep 2005, at 21:03, Jim Drew wrote:
>> I've seen sites using both the "e-mail temporary password" and
>> "answer security question(s)" methods for resetting passwords. Does
>> anyone have any data on usability (or security) issues with either
>> one, or other (better) methods for dealing with forgotten password
>> problems?
>
> Anecdotal: my partner's mother is staying with us this week and wanted
> to access her MSN.com e-mail. She couldn't remember the password, so
> we went to the "Forgot password?" page. It had two choices: she could
> have it send the password to her account (which is kind of dumb, since
> she would need the password to get the message *), or it could send it
> to the alternate address attached to her account ("For just, I say,
> for *just* such an emergency"), which of course she didn't have set up
> (and for which she would presumably need the password to get it set
> up).

For these master passwords (ie, the one you need to get at all your
other passwords) I generally recommend people force themselves to type
them in regularly. That way the chances of them forgetting them are
reduced. You only need to do it with one password, let your muscle
memory take the strain! So I don't think much of these features which
let you log on to your computer without a password. It removes a simple
training opportunity. Both my parents (my Dad is 80 btw) login with a
password whenever they use the computer, and neither of them have ever
had any trouble with it. Of course if that password is the same as
their email password (which might not be hugely secure, but is easy)
then they are very unlikely to forget it ever. Sometimes these labour
saving devices make life worse ;-)

Of course this breaks if you force people to change passwords regularly
etc, but most systems don't.

Cheers
--Pete

----------------------------------------------------------
Peace and friendship with all mankind is our wisest policy,
and I wish we may be permitted to pursue it.
- Thomas Jefferson, 1743 - 1826

Peter Bagnall - http://people.surfaceeffect.com/pete/

13 Sep 2005 - 3:51pm
Rajesh Sidharthan
2005

Totally agrees with Pete,
I am not a big fan of that "Remeber me" check box below login areas.
It's more of a style than a useful feature.
Everyone likes to be remembered, but no one uses it. Not even on their
home computers :)

</raj>

Peter Bagnall wrote:

> [Please voluntarily trim replies to include only relevant quoted
> material.]
>
> On 13 Sep 2005, at 21:03, Jim Drew wrote:
>
>>> I've seen sites using both the "e-mail temporary password" and
>>> "answer security question(s)" methods for resetting passwords. Does
>>> anyone have any data on usability (or security) issues with either
>>> one, or other (better) methods for dealing with forgotten password
>>> problems?
>>
>>
>> Anecdotal: my partner's mother is staying with us this week and
>> wanted to access her MSN.com e-mail. She couldn't remember the
>> password, so we went to the "Forgot password?" page. It had two
>> choices: she could have it send the password to her account (which is
>> kind of dumb, since she would need the password to get the message
>> *), or it could send it to the alternate address attached to her
>> account ("For just, I say, for *just* such an emergency"), which of
>> course she didn't have set up (and for which she would presumably
>> need the password to get it set up).
>
>
> For these master passwords (ie, the one you need to get at all your
> other passwords) I generally recommend people force themselves to type
> them in regularly. That way the chances of them forgetting them are
> reduced. You only need to do it with one password, let your muscle
> memory take the strain! So I don't think much of these features which
> let you log on to your computer without a password. It removes a
> simple training opportunity. Both my parents (my Dad is 80 btw) login
> with a password whenever they use the computer, and neither of them
> have ever had any trouble with it. Of course if that password is the
> same as their email password (which might not be hugely secure, but is
> easy) then they are very unlikely to forget it ever. Sometimes these
> labour saving devices make life worse ;-)
>
> Of course this breaks if you force people to change passwords
> regularly etc, but most systems don't.
>
> Cheers
> --Pete
>
> ----------------------------------------------------------
> Peace and friendship with all mankind is our wisest policy,
> and I wish we may be permitted to pursue it.
> - Thomas Jefferson, 1743 - 1826
>
> Peter Bagnall - http://people.surfaceeffect.com/pete/
>
> _______________________________________________
> Welcome to the Interaction Design Group!
> To post to this list ....... discuss at ixdg.org
> (Un)Subscription Options ... http://discuss.ixdg.org/
> Announcements List ......... http://subscribe-announce.ixdg.org/
> Questions .................. lists at ixdg.org
> Home ....................... http://ixdg.org/

13 Sep 2005 - 4:49pm
Todd Warfel
2003

On Sep 13, 2005, at 4:51 PM, Rajesh Sidharthan wrote:

> Totally agrees with Pete,
> I am not a big fan of that "Remeber me" check box below login
> areas. It's more of a style than a useful feature.
> Everyone likes to be remembered, but no one uses it. Not even on
> their home computers :)
>
> </raj>

I couldn't disagree more. Over the past five years, we've tested
dozens of websites and web-based applications and the "Remember me"
feature is something that is not only highly used, but one of the
most requested features. I can't tell you the number of times we've
tested applications without it, only to end up with frustrated
participants (users/consumers).

Cheers!

Todd R. Warfel
Partner, Design & Usability Specialist
Messagefirst | making products & services easier to use
--------------------------------------
Contact Info
Voice: (607) 339-9640
Email: todd at messagefirst.com
AIM: twarfel at mac.com
Blog: http://toddwarfel.com

--------------------------------------
Problems are just opportunities for success.

13 Sep 2005 - 6:19pm
Peter Bagnall
2003

Just to clarify, I wasn't recommending that "remember me" options
shouldn't be used on websites. I tend to use "remember me" functions on
websites where they exist, since it saves hassle, which is a good
thing, and if I forget the password the OS will have it so I can find
it out should I need it. Failing that I can reset it on the whole. I
don't want to have to remember the password for every website I use.

Of course to reset a password you need to get to email, so remembering
the password for that is very useful, and being forced to retype it
from time to time helps there. The only passwords you really *have* to
remember though are typically login and email, or for some maybe just
email. For all the rest, leave it to the tools!

So I wasn't actually advising against "remember me" functionality on
the web. Just for those few vital passwords that you can't recover in
any other way.

Sorry to be disloyal and disagree Raj ;-)

--Pete

On 13 Sep 2005, at 21:51, Rajesh Sidharthan wrote:

> Totally agrees with Pete,
> I am not a big fan of that "Remeber me" check box below login areas.
> It's more of a style than a useful feature.
> Everyone likes to be remembered, but no one uses it. Not even on their
> home computers :)
>
> </raj>
>
> Peter Bagnall wrote:
>
>> [Please voluntarily trim replies to include only relevant quoted
>> material.]
>>
>> On 13 Sep 2005, at 21:03, Jim Drew wrote:
>>
>>>> I've seen sites using both the "e-mail temporary password" and
>>>> "answer security question(s)" methods for resetting passwords. Does
>>>> anyone have any data on usability (or security) issues with either
>>>> one, or other (better) methods for dealing with forgotten password
>>>> problems?
>>>
>>>
>>> Anecdotal: my partner's mother is staying with us this week and
>>> wanted to access her MSN.com e-mail. She couldn't remember the
>>> password, so we went to the "Forgot password?" page. It had two
>>> choices: she could have it send the password to her account (which
>>> is kind of dumb, since she would need the password to get the
>>> message *), or it could send it to the alternate address attached to
>>> her account ("For just, I say, for *just* such an emergency"), which
>>> of course she didn't have set up (and for which she would presumably
>>> need the password to get it set up).
>>
>>
>> For these master passwords (ie, the one you need to get at all your
>> other passwords) I generally recommend people force themselves to
>> type them in regularly. That way the chances of them forgetting them
>> are reduced. You only need to do it with one password, let your
>> muscle memory take the strain! So I don't think much of these
>> features which let you log on to your computer without a password. It
>> removes a simple training opportunity. Both my parents (my Dad is 80
>> btw) login with a password whenever they use the computer, and
>> neither of them have ever had any trouble with it. Of course if that
>> password is the same as their email password (which might not be
>> hugely secure, but is easy) then they are very unlikely to forget it
>> ever. Sometimes these labour saving devices make life worse ;-)
>>
>> Of course this breaks if you force people to change passwords
>> regularly etc, but most systems don't.
>>
>> Cheers
>> --Pete
>>
>> ----------------------------------------------------------
>> Peace and friendship with all mankind is our wisest policy,
>> and I wish we may be permitted to pursue it.
>> - Thomas Jefferson, 1743 - 1826
>>
>> Peter Bagnall - http://people.surfaceeffect.com/pete/
>>
>> _______________________________________________
>> Welcome to the Interaction Design Group!
>> To post to this list ....... discuss at ixdg.org
>> (Un)Subscription Options ... http://discuss.ixdg.org/
>> Announcements List ......... http://subscribe-announce.ixdg.org/
>> Questions .................. lists at ixdg.org
>> Home ....................... http://ixdg.org/
>
>
>
>
----------------------------------------------------------
I would feel more optimistic about a bright future for man if
he spent less time proving that he can outwit Nature and more
time tasting her sweetness and respecting her seniority.
- Elwyn Brooks White, 1899 - 1985

Peter Bagnall - http://people.surfaceeffect.com/pete/

14 Sep 2005 - 2:10am
nuritps
2010

> going to the main My MSN page (convenient link supplied) and click the
"Credentials" link, which would presumably ask you the secret question or
whatever. ExceptŠ the link went to the main MSN.com page, which -- you
guessed it -- has no "Credentials" link.

--------

Any thoughts or testing about the secret question?
We have it in our application and some people here thought it should be
mandatory... As for now most users does not use it and then if they forget
the password the application can not assist them.
I usually fill in the secret question, but that doesn't mean much, obviously
:)

Nurit

Nurit Peres
Analysis & Usability Manager
:: nurit.peres at ams-sys.com <mailto:nurit.peres at ams-sys.com>

14 Sep 2005 - 2:43am
Peter Bagnall
2003

On 14 Sep 2005, at 06:38, Tori Egherman wrote:
> I'm coming into the middle of this conversation, so I do not know if
> anyone else has written this, but I have to totally recommend the
> (geez, what is the name of the William Shatner company?) Priceline
> method. I haven't used it in a couple of years, but I remember how
> easy it was. You log on with your email address, it asks you your
> secret question, & voila! you are in! You have no password. Just a
> question that you have asked yourself.

You have to be pretty careful with asking yourself a question. Most
questions people are likely to use are either public knowledge or can
be found out just by asking the person. I can't remember where I heard
this, but there was an experiment carried out where the experimenter
interviewed people, and asked them about their passwords. In most cases
people revealed their password during the conversation. Things like "I
use my cats name", then later in the conversation the interviewer
mentions cats in some other context, and asks the person if they have a
cat, and when they say yes, asks for the name. Having people pick their
own question opens the doors to that kind of social engineering. That's
the reason I'm not a fan of the "secret question" for password
recovery.

> And passwords in general? I heard a security expert recommend having
> one or two passwords that you never change.

I'd recommend that too. It's a good trade off between security and ease
of use. And if you never change it you can make sure it's a good strong
password.

--Pete

----------------------------------------------------------
For a successful technology, reality must take precedence
over public relations, for Nature cannot be fooled.
- Richard Feynman, 1918 - 1988

Peter Bagnall - http://people.surfaceeffect.com/pete/

14 Sep 2005 - 3:20am
Hegle Sarapuu
2005

Hi,

I prefer e-mail sending... but there is required one more functionality.
After sending e-mail you have to change password it can not be user choice because they never change it. E-mail address has to be in database before.
If you use remember me checkbox people forget their passwords more often because they don’t use them. And it isn't safe because it is easier steel your computer and get all the information what you need even what is not in your computer.
If it is possible you can use other more secure sites to remember your site. Or log in your site thru more secure site and change password. Good example is banking account. You have been in bank to get your account. In Estonia most very personal databases with very personal information is accessible using bank account. And all respectable banks have that kind of service. Of course there is possible to use identification card. It is physical card which has certificates for identify its user. And it uses PIN-code for that. Or you can make up binary certificates. It all depends of what kind of data you are protecting. Maybe you can make up webcam identification or microphone identification? Or maybe you can use domain identification? They all can recover password or just some can replace them.

Best regards,
Hegle Sarapuu

-----Original Message-----
From: discuss-interactiondesigners.com-bounces atlists.interactiondesigners.com [mailto:discuss-interactiondesigners.com-bounces atlists.interactiondesigners.com] On Behalf Of Rajesh Sidharthan
Sent: Tuesday, September 13, 2005 11:52 PM
To: Peter Bagnall
Cc: ixd-discussion
Subject: Re: [ID Discuss] Forgotten Passwords

[Please voluntarily trim replies to include only relevant quoted material.]

Totally agrees with Pete,
I am not a big fan of that "Remeber me" check box below login areas.
It's more of a style than a useful feature.
Everyone likes to be remembered, but no one uses it. Not even on their
home computers :)

</raj>

Peter Bagnall wrote:

> [Please voluntarily trim replies to include only relevant quoted
> material.]
>
> On 13 Sep 2005, at 21:03, Jim Drew wrote:
>
>>> I've seen sites using both the "e-mail temporary password" and
>>> "answer security question(s)" methods for resetting passwords. Does
>>> anyone have any data on usability (or security) issues with either
>>> one, or other (better) methods for dealing with forgotten password
>>> problems?
>>
>>
>> Anecdotal: my partner's mother is staying with us this week and
>> wanted to access her MSN.com e-mail. She couldn't remember the
>> password, so we went to the "Forgot password?" page. It had two
>> choices: she could have it send the password to her account (which is
>> kind of dumb, since she would need the password to get the message
>> *), or it could send it to the alternate address attached to her
>> account ("For just, I say, for *just* such an emergency"), which of
>> course she didn't have set up (and for which she would presumably
>> need the password to get it set up).
>
>
> For these master passwords (ie, the one you need to get at all your
> other passwords) I generally recommend people force themselves to type
> them in regularly. That way the chances of them forgetting them are
> reduced. You only need to do it with one password, let your muscle
> memory take the strain! So I don't think much of these features which
> let you log on to your computer without a password. It removes a
> simple training opportunity. Both my parents (my Dad is 80 btw) login
> with a password whenever they use the computer, and neither of them
> have ever had any trouble with it. Of course if that password is the
> same as their email password (which might not be hugely secure, but is
> easy) then they are very unlikely to forget it ever. Sometimes these
> labour saving devices make life worse ;-)
>
> Of course this breaks if you force people to change passwords
> regularly etc, but most systems don't.
>
> Cheers
> --Pete
>
> ----------------------------------------------------------
> Peace and friendship with all mankind is our wisest policy,
> and I wish we may be permitted to pursue it.
> - Thomas Jefferson, 1743 - 1826
>
> Peter Bagnall - http://people.surfaceeffect.com/pete/
>
> _______________________________________________
> Welcome to the Interaction Design Group!
> To post to this list ....... discuss atixdg.org
> (Un)Subscription Options ... http://discuss.ixdg.org/
> Announcements List ......... http://subscribe-announce.ixdg.org/
> Questions .................. lists atixdg.org
> Home ....................... http://ixdg.org/

_______________________________________________
Welcome to the Interaction Design Group!
To post to this list ....... discuss atixdg.org
(Un)Subscription Options ... http://discuss.ixdg.org/
Announcements List ......... http://subscribe-announce.ixdg.org/
Questions .................. lists atixdg.org
Home ....................... http://ixdg.org/

--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.23/99 - Release Date: 12.09.2005

14 Sep 2005 - 12:38am
Tori Egherman
2005

I'm coming into the middle of this conversation, so I do not know if
anyone else has written this, but I have to totally recommend the
(geez, what is the name of the William Shatner company?) Priceline
method. I haven't used it in a couple of years, but I remember how
easy it was. You log on with your email address, it asks you your
secret question, & voila! you are in! You have no password. Just a
question that you have asked yourself.

And passwords in general? I heard a security expert recommend having
one or two passwords that you never change. My problem now is
remembering my login name...

Tori

14 Sep 2005 - 5:09am
eryk orłowski
2005

On 9/14/05 7:38, "Tori Egherman" <tori.egherman at gmail.com> wrote:

> [Please voluntarily trim replies to include only relevant quoted material.]
>
> I'm coming into the middle of this conversation, so I do not know if
> anyone else has written this, but I have to totally recommend the
> (geez, what is the name of the William Shatner company?) Priceline
> method. I haven't used it in a couple of years, but I remember how
> easy it was. You log on with your email address, it asks you your
> secret question, & voila! you are in! You have no password. Just a
> question that you have asked yourself.
>

What about Paris Hilton case? Do You believe users will give anything
better, than their favourite pets' name? You can give them a choice from a
closed list of questions, but if there is anything more sophysticated than a
user would work out, we will go back to the start point of password problem.

regards

--
eryk "eof" orłowski || gg# 2765 || uin# 99692537

14 Sep 2005 - 6:35am
Luis Silva
2005

About only having one password imagine this scenario:

I have a very interesting discussion board so you create an account there
using your email and your only password, which are recorded in my database.

Suppose that I have suspicious intentions, I would try paypal ,ebay, online
banking accounts that I have spotted in emails in your hotmail account,
etc...

Or suppose that someone hack into my database and stole all account
details...

What's the alternative? I use different password according to the
credibility of the site in which I am creating an account ie: in ascending
order of credibility, Discussion Boards and mailing lists, emails, The
Workstations in my company, and at last internet banking.

You can say: no one will test all the accounts on the database on Paypal,
etc. Actually it's not very difficult to write a program to test passwords
on login forms.

About the secret question, I think it is very useful, but the user must be
aware that the secret question/answer is like a password, so she/he must
provide something that only she/he can answer, that information is lacking
on most sites or not too clearly explained.

Regards

Luis Silva

PS: The secret question has come to my rescue a couple of times.

-----Original Message-----
From:
discuss-interactiondesigners.com-bounces at lists.interactiondesigners.com
[mailto:discuss-interactiondesigners.com-bounces at lists.interactiondesigners.
com] On Behalf Of eryk 'eof' orlowski
Sent: Wednesday, 14 September 2005 7:39 PM
To: interactiondesigners
Subject: Re: [ID Discuss] Forgotten Passwords

[Please voluntarily trim replies to include only relevant quoted material.]

On 9/14/05 7:38, "Tori Egherman" <tori.egherman at gmail.com> wrote:

> [Please voluntarily trim replies to include only relevant quoted
material.]
>
> I'm coming into the middle of this conversation, so I do not know if
> anyone else has written this, but I have to totally recommend the
> (geez, what is the name of the William Shatner company?) Priceline
> method. I haven't used it in a couple of years, but I remember how
> easy it was. You log on with your email address, it asks you your
> secret question, & voila! you are in! You have no password. Just a
> question that you have asked yourself.
>

What about Paris Hilton case? Do You believe users will give anything
better, than their favourite pets' name? You can give them a choice from a
closed list of questions, but if there is anything more sophysticated than a
user would work out, we will go back to the start point of password problem.

regards

--
eryk "eof" orłowski || gg# 2765 || uin# 99692537

_______________________________________________
Welcome to the Interaction Design Group!
To post to this list ....... discuss at ixdg.org
(Un)Subscription Options ... http://discuss.ixdg.org/
Announcements List ......... http://subscribe-announce.ixdg.org/
Questions .................. lists at ixdg.org
Home ....................... http://ixdg.org/

14 Sep 2005 - 6:58am
nuritps
2010

>About only having one password imagine this scenario:
>Or suppose that someone hack into my database and stole all account
details...

>Luis Silva

I agree, one password is a great risk, and more than that if your company
comply with ISO security standards it requires you to change the password
every 90 days or so... So even my windows password changes from time to
time...

Nurit

Nurit Peres
Analysis & Usability Manager
:: nurit.peres at ams-sys.com <mailto:nurit.peres at ams-sys.com>

14 Sep 2005 - 7:38am
Todd Warfel
2003

On Sep 14, 2005, at 4:20 AM, Hegle Sarapuu wrote:

> If you use remember me checkbox people forget their passwords more
> often because they don’t use them. And it isn't safe because it is
> easier steel your computer and get all the information what you
> need even what is not in your computer.

That's not likely unless it's an assigned password. Typically, people
have 1-3 passwords that are used for pretty much everything. Secure
or not, that's reality. So, it's very unlikely they'd forget the
password - they might just forget which one they used and have to try
multiple times. The trying multiple times is what frustrates people
(in addition to simply having to type it in in the first place) -
that's what we've observed anyway.

Cheers!

Todd R. Warfel
Partner, Design & Usability Specialist
Messagefirst | making products & services easier to use
--------------------------------------
Contact Info
Voice: (607) 339-9640
Email: todd at messagefirst.com
AIM: twarfel at mac.com
Blog: http://toddwarfel.com

--------------------------------------
Problems are just opportunities for success.

14 Sep 2005 - 7:59am
Peter Bagnall
2003

On 14 Sep 2005, at 12:35, Luis Silva wrote:
> Suppose that I have suspicious intentions, I would try paypal ,ebay,
> online
> banking accounts that I have spotted in emails in your hotmail account,
> etc...

This attack has already been carried out at least once in the wild. A
site was set up where you had to register to fill in a survey about
your online habits. I don't remember the details precisely but I would
imagine "win $5000" would probably get quite a few responses. By
forcing people to register they got a password. In the survey they
asked about where you buy from, and then of course knew exactly which
sites to try the password on. So having a different password for each
site is definitely more secure. And that's where tools to remember them
for you become useful.

> About the secret question, I think it is very useful, but the user
> must be
> aware that the secret question/answer is like a password, so she/he
> must
> provide something that only she/he can answer, that information is
> lacking
> on most sites or not too clearly explained.

In fact it's worse than that, many sites suggest questions which are
inherently insecure. Mostly they are ok against online attackers, since
those people are unlikely to know your personal information, but
against people who know you it's pretty wide open.

On the whole I would argue that the risk of having your password
emailled to you is lower than the risk of having a secret question
system. Of course what we really need is encrypted email. That would
make many of these problems much simpler to deal with.

Cheers
--Pete

----------------------------------------------------------
There are three kinds of death in this world. There's heart death,
there's brain death, and there's being off the network.
-Guy Almes

Peter Bagnall - http://people.surfaceeffect.com/pete/

----------------------------------------------------------
Here in America we are descended in blood and in spirit from
revolutionists and rebels - men and women who dare to dissent
from accepted doctrine. As their heirs, may we never confuse
honest dissent with disloyal subversion.
- Dwight D. Eisenhower, 1890 - 1969

Peter Bagnall - http://people.surfaceeffect.com/pete/

14 Sep 2005 - 11:40am
Rajesh Sidharthan
2005

Asking a hint question for password retrieval/reset can be tricky too.
A few years ago, yahoo mail used to expose the real password to an
account if you answer the hint question.
and the default hit questions used to be the standard "mother's maiden
name' and "City where I was born"

</raj>

Peter Bagnall wrote:

> [Please voluntarily trim replies to include only relevant quoted
> material.]
>
> On 14 Sep 2005, at 06:38, Tori Egherman wrote:
>
>> I'm coming into the middle of this conversation, so I do not know if
>> anyone else has written this, but I have to totally recommend the
>> (geez, what is the name of the William Shatner company?) Priceline
>> method. I haven't used it in a couple of years, but I remember how
>> easy it was. You log on with your email address, it asks you your
>> secret question, & voila! you are in! You have no password. Just a
>> question that you have asked yourself.
>
>
> You have to be pretty careful with asking yourself a question. Most
> questions people are likely to use are either public knowledge or can
> be found out just by asking the person. I can't remember where I heard
> this, but there was an experiment carried out where the experimenter
> interviewed people, and asked them about their passwords. In most
> cases people revealed their password during the conversation. Things
> like "I use my cats name", then later in the conversation the
> interviewer mentions cats in some other context, and asks the person
> if they have a cat, and when they say yes, asks for the name. Having
> people pick their own question opens the doors to that kind of social
> engineering. That's the reason I'm not a fan of the "secret question"
> for password recovery.
>
>> And passwords in general? I heard a security expert recommend having
>> one or two passwords that you never change.
>
>
> I'd recommend that too. It's a good trade off between security and
> ease of use. And if you never change it you can make sure it's a good
> strong password.
>
> --Pete
>
> ----------------------------------------------------------
> For a successful technology, reality must take precedence
> over public relations, for Nature cannot be fooled.
> - Richard Feynman, 1918 - 1988
>
> Peter Bagnall - http://people.surfaceeffect.com/pete/
>
> _______________________________________________
> Welcome to the Interaction Design Group!
> To post to this list ....... discuss at ixdg.org
> (Un)Subscription Options ... http://discuss.ixdg.org/
> Announcements List ......... http://subscribe-announce.ixdg.org/
> Questions .................. lists at ixdg.org
> Home ....................... http://ixdg.org/

14 Sep 2005 - 7:41pm
cfmdesigns
2004

Rajesh Sidharthan <rajesh.sidharthan at oracle.com> writes:

>I am not a big fan of that "Remeber me" check box below login
>areas. It's more of a style than a useful feature. Everyone likes
>to be remembered, but no one uses it. Not even on their home
>computers :)

They don't? Mr. Nobdoy, over here.

Safari's password remembering usually does the job better, and I use
it, too, but I use "Remember Me" and variants on sites for the NY
Times, airlines, book clubs, niche community websites, and especially
on Yahoo! There, it only does a so-so job, since I use two Yahoo!
IDs, but it's a lot better than signing in every time (average of at
least once a day).

It's especially use on those sites which have password requirements:
is this the one which requires a digit? A minimum of eight
characters? No capital letters? If there's no Remember Me feature,
I inevitably have to request my password every time.

Jim Drew
Seattle, WA

14 Sep 2005 - 8:02pm
Johndan Johnson...
2005

I use this feature extensively as well, on the four secure computers I
use (but obviously not the public access ones) and for literally dozens
of sites (ranging from NYT to discussion boards to review sites).

I admit to not having caught the first part of this thread, but I don't
see the drawback to using the feature. It saves users time in
remembering what password they've had to use on the site (since sites
vary in their requirements--some have different minimum lengths, some
require letters and numbers, etc.).

I don't use it for sites where I've stored financial data (my bank,
amazon.com, etc.), but for low-risk sites (where my account being
compromised has relatively little negative effect), I'd rather have the
box to check. (And, frankly, there are sites where I've been forced to
use a bizarre username or password for some reason and that don't offer
"remember me": I end up not using those sites.)

- Johndan

Jim Drew wrote:

> Rajesh Sidharthan <rajesh.sidharthan at oracle.com> writes:
>
>> I am not a big fan of that "Remeber me" check box below login areas.
>> It's more of a style than a useful feature. Everyone likes to be
>> remembered, but no one uses it. Not even on their home computers :)
>
> They don't? Mr. Nobdoy, over here.

14 Sep 2005 - 7:42pm
cfmdesigns
2004

"Nurit Peres" <nurit.peres at ams-sys.com> writes:

>Any thoughts or testing about the secret question?
>We have it in our application and some people here thought it should be
>mandatory... As for now most users does not use it and then if they forget
>the password the application can not assist them.
>I usually fill in the secret question, but that doesn't mean much, obviously

I personally prefer more flexibility than that gives, and more
security. As others have mentioned, there are a handful of
frequently used secret questions and easy ways of getting the answers
out of people.

Mac OS X, for example, allows the user to enter a Password Hint. The
user could put in something standard like "cat's name" or "favorite
super-hero" or obscure like "3.14159" where the password is "cherry8"
(8 slices in their favorite "pi"). The point being to let the user
give what will clue the user to their password.

Jim Drew
Seattle, WA

15 Sep 2005 - 3:52am
Ben Hunt
2004

I have designed a system, ID+, that originally aimed to facilitate all kinds
of social networking applications on a common, open-source, extensible
platform. I mentioned it on here a few months ago.

It can also solve the password-security problem, which this discussion has
highlighted: that of using the same usernames & passwords on multiple sites.

ID+ works with the concept of a secure account on a server somewhere, which
you set up through a 'client' (a web site or desktop IM thing etc.) All
communication with the account is secure.

You can assign rights to other clients for certain things.

One of these things could be 'verify my identity'. For a web site, this
would work by:

See http://www.idplus.org/view_thread.cfm?t=10 for a short step-by-step
description.

ID+ is still a concept looking for an audience. I was hoping to be assigned
one or two CS Masters students this year, who would take it forward, but
this hasn't happened. If anyone's interested in the idea, it's totally open,
so please take it and run with it. See the site http://www.idplus.org/ for
more about it.

Cheers,

- Ben

16 Sep 2005 - 3:08am
Tricia (Bluesky...
2005

I have seen e-mail verification for lost passwords coming up with higher success rates on usability and security than question and secret answers.
Adaptive path was one place I saw a report comment on this.

http://www.adaptivepath.com/

I believe Amazon have implemented a novel approach to fogotten passwords, haven't checked it out yet though.

Regards
Tricia
Blueskyconsult

-----Original Message-----
From:
discuss-interactiondesigners.com-bounces at lists.interactiondesigners.com
[mailto:discuss-interactiondesigners.com-bounces at lists.interactiondesign
ers.com]On Behalf Of Jim Drew
Sent: Thursday, September 15, 2005 2:42 AM
To: discuss at ixdg.org
Subject: RE: [ID Discuss] Forgotten Passwords

[Please voluntarily trim replies to include only relevant quoted material.]

"Nurit Peres" <nurit.peres at ams-sys.com> writes:

>Any thoughts or testing about the secret question?
>We have it in our application and some people here thought it should be
>mandatory... As for now most users does not use it and then if they forget
>the password the application can not assist them.
>I usually fill in the secret question, but that doesn't mean much, obviously

I personally prefer more flexibility than that gives, and more
security. As others have mentioned, there are a handful of
frequently used secret questions and easy ways of getting the answers
out of people.

Mac OS X, for example, allows the user to enter a Password Hint. The
user could put in something standard like "cat's name" or "favorite
super-hero" or obscure like "3.14159" where the password is "cherry8"
(8 slices in their favorite "pi"). The point being to let the user
give what will clue the user to their password.

Jim Drew
Seattle, WA
_______________________________________________
Welcome to the Interaction Design Group!
To post to this list ....... discuss at ixdg.org
(Un)Subscription Options ... http://discuss.ixdg.org/
Announcements List ......... http://subscribe-announce.ixdg.org/
Questions .................. lists at ixdg.org
Home ....................... http://ixdg.org/

16 Sep 2005 - 11:04am
Chris Ryan
2004

On Sep 16, 2005, at 1:08 AM, Tricia (Bluesky Consult) wrote:

> I have seen e-mail verification for lost passwords coming up with
> higher success rates on usability and security than question and
> secret answers.
> Adaptive path was one place I saw a report comment on this.

This method is not always possible; for instance I am working on
forgotten password functionality for IP telephony, and users may not
have access to e-mail.

Chris

16 Sep 2005 - 12:14pm
Luis Silva
2005

A lot has been talked about this subject, but one thing I think we all
agree... the login panel procedure is the most tedious task we face on the
www. I think a way around it is a certificate system that allow you to have
a unique identifier on the web (this is not an utopia, check the DNS name
for instance) and every time you request permission to somewhere your
credentials where validated and your access granted, everything happening on
the background.

I reckon that this is the way to go, the password paradigm only lives in the
web, in the everyday life is completely gone.

Can I have your thoughts on this?

Best

Luis

On Sep 16, 2005, at 1:08 AM, Tricia (Bluesky Consult) wrote:

> I have seen e-mail verification for lost passwords coming up with
> higher success rates on usability and security than question and
> secret answers.
> Adaptive path was one place I saw a report comment on this.

This method is not always possible; for instance I am working on
forgotten password functionality for IP telephony, and users may not
have access to e-mail.

Chris

_______________________________________________
Welcome to the Interaction Design Group!
To post to this list ....... discuss at ixdg.org
(Un)Subscription Options ... http://discuss.ixdg.org/
Announcements List ......... http://subscribe-announce.ixdg.org/
Questions .................. lists at ixdg.org
Home ....................... http://ixdg.org/

24 Aug 2007 - 7:46am
AJ Kock
2007

I like the way Wordpress does it. They just email you a new password if you have forgotten yours. For more important things like banks, I like what my one bank is doing. They sms you a key to type into your session, otherwise everything you have done during the session, becomes void. This is great if someone guessed your password, but don\'t have your phone.

Syndicate content Get the feed