FAQ: Secret Questions, Secret Answers

[GL_Support]

Secret Question/Secret Answer FAQ

Due to issues with Hotmail and LiveMail we have been looking into other ways to handle password resets. We have settled on using Secret Questions as the method for password reset.

Things you should know:

1. Email resets are still available. The option for email resets will become available if you don't have any secret questions set or you run out of secret question tries.

2. If you already have an account as of April 10th 2008, you have no questions and answers set. Until you set them, you will only have email based resets available to you.

3. All new accounts will need to choose two secret questions and secret answers. We've chosen questions that are hard to guess from publically available information as well as some of the more standard questions.

3. You only get 5 chances to answer your secret questions correctly. After that, your only option is Email based resets. The purpose of this is to reduce any sort of brute force attack but provide a method where a valid user who knows the answers to the questions can reset the password without going through email.

Are secret questions secure?

Secret questions are secure. In our database we treat them just like password and one way hash them for security. As far as the security of the answer itself, this mostly depends on what questions are available how they are answered. We've intentionally chosen some non standard questions to allow for a greater variance in answers.

Secret answers have the same risks as passwords in many ways. If you put very short or easily guessable answers then your secret questions are as secure as a very short or easily guessable password. Choosing a reasonable answer is up to you though.

If you feel that secret questions are insecure and would rather not use them, then we suggest you put a password as the answer to each secret question or a completely gibberish mix of characters and special characters. You won't be able to answer them and it will be extremely difficult for anyone else to. If you need to do a password reset then you can fail the reset 5 times and trip the Email based only functionality and start using email based resets.

[Woothdye]

[GL_Support]

It's not anything that big, but I needed an FAQ to link to, so I had to create the placeholder.

-Stephen