#674 Recover master password

wont-fix
nobody
None
5
2013-09-02
2012-06-22
No

There should be a way if the user forget the password of the database. There should be a button "Recover password" and when the user click it, answers three or more security questions, whick have been created during the creation of the database. If the answers are correct then, the user sets a new password for the database.

Discussion

  • Class Diagram

     
    Attachments

  • Anonymous
    2012-07-29

    This is a good idea. I would also suggest that the user can set between one and five of his/her own password reset questions instead of relying on preset questions.

     
    Last edit: Anonymous 2013-11-26
  • Many services on the internet use such "security questions", many of them use the SAME questions (like "maiden last name of your mother" or "name of your first pet" ...).

    They all assume that only the legitimate user of the service can answer them, but this is simply not true. Relatives, friends or just other services' operators will also know the answers. For some people, you might even be able to lookup answers on wikipedia.

    These questions and that multiple persons / services know the answers to them create a new risk. Therefore, some people, when forced to use such security questions choose to rather LIE with the answer (and lie differently to different services) due to this. Of course if you do that, you need to manage your lies as you manage your passwords...

    Thus I consider this "feature" rather as a anti-feature. If you fear that you forget your passphrase, you just write it down and store it at a secure place. This is equivalently hard/easy to manage than managing secret security questions / answers.

     
  • Rony Shapiro
    Rony Shapiro
    2013-09-02

    • status: open --> wont-fix
    • Group: --> Next_Release_(example)
     
  • Rony Shapiro
    Rony Shapiro
    2013-09-02

    1. There is no way to store the answers to the security questions in a manner that won't be accessible to an attacker.
    2. As has been pointed out, typical questions of this type are painfully easy to guess or find out with a little research.
    3. When sites force me to use these, I make up answers and store them in the Notes field in PasswordSafe (you wouldn't believe the places where my mother was born...).
    4. Bottom line: Best solution for losing/forgetting the master passphrase is keeping it written down in a safe location.
    5. In addition, always back up your password database, of course.