Reading what is currently the top answer to a recent question on how/whether to send users their passwords, I was intrigued that the most popular answer said the following…
- storing passwords in such a way that they are retrievable is insecure
- using a reset feature with the help of a secret question is a valid alternative
(These two points seem contradictory.)
I use hashed passwords for security, but I’ve always assumed that the password question and answer scheme are even less secure because they actually give a hint as to what the answer may be. (I often use .NET’s default membership provider.)
Is there something I’m missing because I’ve not bothered to use the question & answer? Are secret question and answers, without incorporating any sort of timed email reset function, any more secure than storing a password in the db?
Follow Up: Microsoft’s membership provider uses the same format for storing answers to secret questions as they do for the password. If you specify hashed for the password, then it will store the secret answer the same way.
From the posts below, it appears that, if used, a secret question/answer mechanism should only be used in addition to an email reset scheme, rather than instead of, and should be hashed as well. This, of course, may present problems for people like me who put long random strings in the secret answer section.
I allow myself to be guided by OWASP here:
Edit (2018): OWASP seems to have re-arranged their materials. The wayback machine captured a copy of the original page.