|
Synopsis: Keep a hint that helps a user remember his or her password.
A hint is a message that helps a user remember a forgotten password. This does not improve security, but it does improve the practical use of passwords. The system should usually encourage users to use a hint that relies on information not many people would know. For example, "My first pet's name" may be a reasonable hint. A more common and thus less secure hint is, "My mother's maiden name."
You may want to use some security, including the use of another password, to make the hint available only to someone with a little information. For example, you might make hints available only to someone that know's a person's ID number.
Previous Pattern: Password Lock Box
Contributors: Steve Metsker
This pattern has some interesting memory-aid implications relative security. For example, I wouldn't want my password to be my mother's maiden name, because anyone could know that. But it seems that a Password Hint could serve as the initiation for a Private Word Association, and so can be part of how we remember a password and how we generate it. Using a Private Word Association that can't be remembered easily defeats the purpose. -- EugeneWallingford
I'm not sure about this pattern. Something like "mother's maiden name" is used for identification purposes if you call in when you have to inquire about your forgotten password. So it is like a simpler password to get back to your original password. -- DirkRiehle
Yes, I think that's so. That's why I think the hint mechanism should be implemented with some of the same care that the password is. This leads to something of an infinite regress, I suppose. -- EugeneWallingford
My mother's maiden name has another large problem. With the growth of internet genealogy, obtaining this information has become trivial. -- Nick Leaton
|