This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
Suggestion "Secret Question" support
NeedleFactory
Junior Member
Many sites allow you to reset your password if you answer a couple of "secret" questions, such as "What is your mother's maiden name?" Savvy users recognize this as having "a back door with a lock weaker than your front door", as one commenter put in at <http://www.schneier.com/blog/archives/2009/05/secret_question.html>, where many methods for dealing with secret questions are offered, some of them quite good.
I would request that 1Passport address this issue; as a specific example for discussion, I make two suggestions below. In either case, a window would appear in response to a the (new) command "New Secret Answer", analogous to the (current) "New Password" command.
Suggestion #1 (minimal change to 1Passport)
The generated "answer" is a function of three user-specifiable inputs; unlike a random password, identical inputs would always give the same answer. The inputs would be:
(a) Something user types in to identify the question. It could be short, like "Best Friend" or it could be the entire question, such as "What is your best friend's first name?"
(b) The length (#chars) in the answer, also entered by the user.
(c) The user's master password (which need not be entered: whatever "hash" of the master password is retained internally by 1Password will suffice).
I suggest that (b) is required in case the site has a maximum or minimum limit on the length of an answer; perhaps a "standard" length of eight or ten would suffice for all sites?
If user ever needs to answer a secret question or two, the "answers" can be recomputed and pasted in where needed.
Suggestion #2 (more adequate)
The first suggestion has flaws: the answer generated will be different if user has changed the master password since the answer was first generated, or cannot remember the answer's length, or cannot remember the mnemonic to identify the question. These flaws vanish if 1Password would also store a list of responses, each response being a pair: {question mnemonic, answer}.
I would request that 1Passport address this issue; as a specific example for discussion, I make two suggestions below. In either case, a window would appear in response to a the (new) command "New Secret Answer", analogous to the (current) "New Password" command.
Suggestion #1 (minimal change to 1Passport)
The generated "answer" is a function of three user-specifiable inputs; unlike a random password, identical inputs would always give the same answer. The inputs would be:
(a) Something user types in to identify the question. It could be short, like "Best Friend" or it could be the entire question, such as "What is your best friend's first name?"
(b) The length (#chars) in the answer, also entered by the user.
(c) The user's master password (which need not be entered: whatever "hash" of the master password is retained internally by 1Password will suffice).
I suggest that (b) is required in case the site has a maximum or minimum limit on the length of an answer; perhaps a "standard" length of eight or ten would suffice for all sites?
If user ever needs to answer a secret question or two, the "answers" can be recomputed and pasted in where needed.
Suggestion #2 (more adequate)
The first suggestion has flaws: the answer generated will be different if user has changed the master password since the answer was first generated, or cannot remember the answer's length, or cannot remember the mnemonic to identify the question. These flaws vanish if 1Password would also store a list of responses, each response being a pair: {question mnemonic, answer}.
Flag
0
Comments
-
Welcome to the forums, needlefactory, and thank you for the feedback. Right now, you can use 1Password to save these items for you using a very simple approach. I let 1Password generate random passwords for the answers to all security questions. I then save them as login items: 1P > Save Login. When the site presents a security question, I select it from my list of saved logins and let 1Password enter the answer for me.Flag 0
