Secret question(s)

[The Wizard]

Google, Yahoo, Steam, etc. use this type of security system when you want to recover/reset your password.
One or two questions is enough.

[igorw]

These kind of systems tend to make it easy to break into accounts because the "personal" questions are easily known by somebody who knows the person. Since in any authentication system is only as strong as it's weakest link I would personally advise against such a system.

It's not insecure per-se but it is more prone to misuse than others.

[Nelsaidi]

You have a 20 character password so complex that you forget it one day, so when you come to recover your password you simply enter something like "London" in response to where you were born?

Inefficient

These are used with other measures which in combination are secure, an email is good, a secret question IN ADDITION to email is near excellent since if your email is hacked and someone is using that as a measure to access your account, they have to answer something.

[EXreaction]

I have a thing against security questions. Most do not work very well (cannot handle capitalization or spacing differences or punctuation) and if you know the person you can quite easily get the answer out of them.

When enforced I fill mine with random numbers and letters (longer than my password). Requiring a correct answer before sending an email to setup a new password will just cause problems as people will either need to email the board owner or create another account if their answer is forgotten.

[The Wizard]

if you know the person you can quite easily get the answer out of them.

true.
i don't write the answer to the question, i write a different answer, so no one will guess .
also if you know the person you can get the pass easily.

but:
if you know the person and guess the answers you still can't get the pass, because the pass is emailed to the user original owner on his email. and if you see an email with a new pass and you didn't request it you know you have to change your pass/questions.

also this thing is needed: when you want to change your pass/email you recieve an email with a key, you type the key form email if you want to change the pass/email.
like steam.

i think these security measures will make phpbb even more secure.

if the "hacker" has your email nothing will stop him from getting your accounts (all of them), but we are not discussing this issue.

sry 4 bad en

[Ger]

think these security measures will make phpbb even more secure.

Why? Since the password already shouldn't be possible to guess, a secret question doesn't really add anything. It's like having a high-security vault and adding some extra duct tape to it. Yes, it slows the hacker down a bit, but not significantly.

[imkingdavid]

Personally, I am against such questions. I often forget my answer (my "favorite t.v. show" might change over the course of a year, so I might put something different and forget what I put before).

I think the current system is secure as it is.

[A_Jelly_Doughnut]

Personally, I am against such questions. I often forget my answer (my "favorite t.v. show" might change over the course of a year, so I might put something different and forget what I put before).

I think the current system is secure as it is.

Agree for the most part. The most effective type of secret question is the non-changing one. "What is the name of your first wife?" "What was your first car?" and so on.

My bank website has a set of ten secret questions which are:
a) predefined
b) mostly deal with "What is your favorite ____?"
c) or do not apply to me "What is your wife's name" (unwed) or "What is the given name of your oldest child?" (without children)

I've ended up memorizing the responses I gave to these secret questions in addition to the usual username and password.

I understand the usefulness of the secret question, but not necessarily in the context of a bulletin board.

[EXreaction]

Working with the first X only doesn't work all the time either, as per my bank:

What was the name of your first friend?

Do not ask about things that happened before one's brain develops enough to form lasting memories.