Fog Creek Software
Discussion Board

Forgotten password

Hi Joel

What's your preference/suggestion in regards to handling  Forgotten password issue?


Tim Gordon
Wednesday, April 7, 2004

That's a hard problem and I don't think I have any good ideas about solving it :/

For relatively low security sites like membership sites, the system of using your email address as the user ID and providing a button which emails you your password seems to work OK.

Like any security issue, how careful you get depends a lot on the value of the thing you're protecting.

Joel Spolsky
Fog Creek Software
Monday, April 12, 2004

We have this problem, too.  Our service is something that some businesses use only once per year, so by the time they come back they don't even remember registering, much less what their login is.  We let them enter their email address and we send it to them, but many people have a new email address, and they don't use the old one anymore.  The only solution at that point is for them to call us.  I've thought of the "enter a security question" but if they probably won't remember that either (and I hate those things).  If anyone has any other good ideas, I'd love to hear. 

Monday, April 12, 2004

I am in the middle of reading a book by Bruce Schneier, "Beyond Fear", where he talks about security issues in general. An earlier book, "Secrets and Lies", talks more specifically about computer security.

What Mr. Schneier talks about may not answer your question directly, but after reading his books I better understand that the answer to your question is more complicated than it may seem at first.

One of his main points is that security is a trade-off. In your case, you have to weigh the inconvenience to your regular customers of having a more robust but complex password recovery method against the risk and negative consequences of a hacker exploiting a more simple method. It's a judgement call that requires you to understand security principles and the risks to the system you are trying to secure.

One thing I have learned from his books is that there are a lot of lousy judgement calls made about security, both in IT and in other situations. Surprisingly, a lot of these situations involve too tight security, which inconveniences legitimate uses of a system but don't increase security significantly.

BTW, Mr. Schneier's website is at:

Tuesday, April 13, 2004

For the occasional business users, when they register, have them enter a fax number and an email address, as well as their Federal Tax ID.

In the "what's my password" thingo, have them enter their federal tax ID and select whether they want their password emailed or faxed to them. (if they want to change their email or fax #, that's harder)

Figure fax numbers don't change as often...


Tuesday, April 13, 2004

The problem with fax numbers isn't that they change; it's trying to figure out *which* fax number was entered. Where I work currently, there are at least five different fax numbers. :/

No, wait, make that six; I forgot about the front desk.

Tuesday, April 13, 2004

On a similar note, is it as immoral as *I* think it is to store a user's password in plaintext?  Or even in a format that can be decrypted?

Maybe I've just poured down too much of the UNIX Kool-Aid(tm), but I think you should NEVER store a password in plain text.  I fought with the developer of a popular bulletin board product over this.  He claimed that this allowed him to e-mail the password back to the user, and so he needed to store your password in plain text.  Nevermind that it was viewable by the local admin or anyone who hacked the bulletin board.

My personal recommendation -- worth about what you paid for it -- is to always store password hashes.  If a user forgets their password, you mail a random one back to them, and force them to change it when they log back in.

As for the site that is so rarely accessed?  Don't use logins, if it is at all possible.  My local town allows you to pay your utility bill via the web.  They ask me every time to enter my account number and house number -- both of which are printed on the paper bill.  No password to forget!

Of course, this offers very little security, but in this case, what's the problem?  God help me if some criminal decides to pay my utility bill for me.

Michael Dwyer
Wednesday, April 14, 2004

*  Recent Topics

*  Fog Creek Home