The present application relates generally to computer systems and networks, and, more particularly, to passwords for accessing computer systems and networks.
Almost all electronic systems that base access on the use of a userid and password use some type of backup authentication for password recovery when the user forgets his/her password. An automated method of password recovery, the so-called self-service password reset, is often used to improve convenience and reduce administrative cost. Frequently, a secondary password is used to reset the primary password.
Some methods that have been used to improve the security of password recovery are: 1) User-chosen security questions. This is a prevalent method of supplying secondary passwords and is based on one or more questions chosen in advance by the user (e.g., what is the name of your first pet?). The answers to these questions are often easier to guess than the primary password and, as a result, may reduce the security of the system to that of the secondary password. There have been numerous examples of malicious parties that have hacked email account passwords using this weakness as the secondary passwords can often be easily addressed by attackers. 2) Security questions based on information from public databases (e.g., past addresses). These questions generally suffer from the same weaknesses as user-chosen security questions can often be easily guessed by an attacker. 3) Sending password reset information to an email address on file. This approach uses another email account, which may not be available. Also, the email account generally needs to be equally as secure as the current system.