Centercode/Community Forums/Feature Requests
Option to remove the secret question process for password resets
James McKey
suggested this on January 24, 2011 13:08
The password system is already pretty secure and Internet standardized by having a password reset link sent to the email address on record such that the email account would need to be compromised to then compromise the Centercode account. If the email account is compromised then a secret question process is practically pointless and adds only a negligible amount of security given either the level of proficiency of the hacker and/or the information available to them at that point.
My proposal is to just have a page where the user puts in their email address and requests a password reset (like most account credential systems). If they have more than one username, then the system would ask which account name to reset and perhaps suggest the one with the most recent activity. (only one account per email address would do away with this additional step)
The pain point the secret question creates is having to constantly monitor the general Centercode inbox to assist with 'lost' secret questions (mostly due to the secret question system changeover from last year) to just be followed by me performing a robot action of doing the password reset since we have no real 'secret' information to poll them for (such as an account # or social security #, etc.). If we had secret information that belonged to the user then the process would make more sense and have some ways to help shorten and strengthen the password recovery process, but that is just not something intrinsic to Beta programs.
Comments
I'm actually very interested in removing the Secret Questions and Answers (Security Q&A) entirely from Connect, if our customer-base supports the decision.
The problem with Security Q&A is that they're generally more insecure than a password, yet act as the backup for one. On top of that, it’s nearly impossible to consistently ask questions which aren’t answered regularly on publicly accessible social networking sites – thus making social engineering much more viable than ever. Since we've recently implemented a solid E-mail verification loop already, I don't see these being valuable anymore.
Also, given that we DO have an E-mail address for everyone in the system (but not necessarily a current Secret Q&A depending on when they joined the community), the process would be consistent for all users, and not require Community Manager intervention – saving our admins time.
If we do remove the Secret Q&A functionality, I’d like to propose we add a check that ensures that Employees, Project Manager, and Community Manager accounts are not allowed to use the user-facing password reset, but rather must contact a Community Admin (there would be a customizable string shown if an Employee+ tries to reset their password, including the appropriate address to E-mail.
I would love more customer feedback on this subject – this is a small change, but one I’d like to make sooner than later.
I'm still looking for more feedback on this one. I'm planning to solicit customers directly.
I am in total agreement. I think every concern has been voiced in the original post and comment above, so all I have to add is my vote for removal.
I'm still speaking with customers on this, but for now I'm changing this to planned. I think it's the best strategy.
Yes we strongly recommend for this to be implemented. I think every account credential system has this as the basic feature.
Regards,
Mansi Grover
Adobe Prerelease Team, India
I so agree with this request. The current system involves us to manually send the users the reset password mail. This should be automated.
This is a must have feature. The current mechanism is outdated.
Regards,
Aditi Bansal
Adobe Prerelease Team, India
It's a mundane activity for us, having to reset passwords... This functionality is a dire need!!
Regards,
Neha
Adobe Prerelease Team, India
I agree. This is one of the top items on my wishlist. If I were the External tester and has a very critical functionality to discuss with the community, I would not want to request for a password reset and wait for virtually two working days (mine today's, Adobe's tomorrow) just to get in - where I could get in in 5 minutes if I had the option.
Regards,
Pallab
Adobe