Password reset challenge questions: More trouble than they are worth?

Keith Brown states that password “security questions are considered dangerous” in the context of web applications, in particular as it relates to the new Membership Provider functionality in ASP.NET 2.0, because “there’s nothing stopping the user from asking a question that is easily answered by a 6 year old.”

This is an excellent point and raises some important questions, especially as companies seek ways to reduce help desk and administrative IT support costs. Is it enough to leave the security of your web applications or network resources in the hands of your users with a simple question/answer password reset challenge model?

Self-service password reset solutions sound very appealing for a number of reasons, especially so in the enterprise space. One reason, certainly, is the focus on reducing IT support costs and loss of employee productivity. Gartner says that companies can save anywhere from $51 to $147 per call by providing a self-service password reset solution[1]. If that sounds like a lot of money each time a user picks up the phone to call the help desk, you’re right, because it ties up both the help desk operator and the employee. Multiply this by the number of systems where the user has identity information (on average 16!), and this cost can be significant. Consider also that in most larger companies it is estimated that up to a third of help desk call volume is dedicated to password reset tasks.

Some might recommend that we do away with password resets altogether as they risk the pose is too great to be worth the cost savings that are promised. Alun Jones suggests that we might be better off doing away with self-service resets and instead take a walk down to the security office and show physical ID before a password is reset, or use any other method than self-service, such as requesting a reset and having your new password mailed to your manager.

Is there an acceptable middle ground to be found? Given the significant costs savings that might be had by implementing a self-service password reset solution, what would it take to do it right?

Perhaps it may take multi-factor evidence to assure non-repudiation of your identity. Maybe in addition to your password challenge question you would also have to swipe your smart card or answer several questions of varying difficulty depending on your organizational role, for example.

The take away to this discussion is that self-service password resets are more complicated than they look, and that you should be careful in choosing to implement this functionality without fully considering the potential risks involved. Microsoft has done a great job of providing us with a solid provider model to implement with ASP.NET 2.0, but let’s remember to take a pause and carefully evaluate the risks and benefits involved.

[1] Gartner Group, 2002, “Password Reset: Self-Service that you will love”

[tags: identity management, idm, password reset, self-service, membership provider, miis]

This entry was posted in Identity Management. Bookmark the permalink. Follow any comments here with the RSS feed for this post.

7 Responses to Password reset challenge questions: More trouble than they are worth?

  1. dfdads says:

    Some questions pose more serious threats than others and some can be quite difficult to decipher or crack. I have a list of good and bad questions at

  2. Garry says:

    Some questions pose more serious threats than others and some can be quite difficult to decipher or crack. I have a list of good and bad questions at

  3. Users should definitely not be allowed to define their own challenge questions for any system that requires account integrity. This is placing responsibility for security in the hands of people who are generally the least educated on making good security decisions.

    I’ve addressed this and other challenge question authentication security issues in a white paper, which you can download for free here:

  4. Brian says:

    Solution – Biometric
    The only downside is hardware, but more and more PC’s these days are coming equipped with fingerprint scanners and web cameras which facial recognition software can utilize. Open a bank account, get a free USB fingerprint scanner to access you account online. Imagine a world were no one had to remember a login ID, password, PIN, or their mother’s maiden name any more. The technology is there, we just need to scream louder at our CIO’s to IMPLEMENT BIOMETRICS!!!!!

  5. Scott says:

    I completely disagree with Kirit. First, if the user has found a workstation unlocked (with or without Outlook running), the system has already been completely compromised. As a person of malicious, the last thing that will be done in a situation like that is a reset of the password. If the malicious person has access to another person’s logged in system, they will simply use that system to attain access to whatever they want.

    Now, in the case of rarely used systems that are separate from the workstation’s authentication environment (say, SAP, for example) where that seaparate system had a “email me a new password” feature, then yes, the hacker could ask for a new password, get it in the email client, write down the new password, delete the email, and then leave the workstation and use any other workstation that has connectivity to that separate system to authenticate as the other user. But again, this is likely a rare occurence (mainly because there are few malicious people out there, by shear numbers).

  6. Kirit says:

    John, the problem with that is, in an office environment it may be possible to find an unlocked computer running Outlook, but whose user normally has access to the system you want to gain entry to. You could then request a new password, read it in Outlook and then be in.

    Even auto-locking workstations leave a window of opportunity for an attacker to do something like this.

    What you propose works pretty well on the internet as it is harder for an attacker to gain entry to somebody’s email at the same time. Maybe not in an office environment, but it depends a lot on the exact office environment and the security required on the system in consideration and probably also on the role of the user on that system.

    Certainly another option for consideration though.

  7. John Anderson says:

    I agree that resetting the pass with a simple question/answer isn’t very secure but e-mailing them a security key for resetting their password should stop any would be intruders because they’d also have to gain access to their e-mail to do anything malicious.

Leave a Reply