[Sigia-l] password retrieving

[Listera]

"Mauro Pinheiro" wrote:

> In the discussion,

You need to be commended on consulting the archives first, actually
summarizing the discussion and asking for further clarification. A lot of
questions posed here can be answered with a simple archives check, but most
people won't bother. So kudos.

> As this information demmanded more storage...

Your techies are full of it. They have to store two strings per user, which
would be a few bytes each and even multiplied by several million users would
still be no more than a few megabytes in total. You can buy a 80 GB hard
disk for less than $100, which would be far less than the amount of money
spent on just discussing this issue. Be that as it may...

> people were concerned if the questions should be based on facts or based on
> oppinions...but no one seemmed to be worried about the understanding of the
> system itself! And our tests had proved that the major problem is exactly
> understandig the logic of this kind of recovering system.

I'm not sure what you mean by this. Are you referring to the process at the
time of entering all this info (i.e. registration)? Or are you referring to
the confusion when the user is confronted with a challenge question?

The former is anticipatory. Especially if the user has had no experience
with challenge-response type of authentication previously. So they may not
fully grasp just what will happen with the info they are being asked to
enter. However, if they are old enough to carry credit cards or other
utility or bank accounts, they should be familiar with authentication
questions. You may indeed make a reference to those to remind them.

Now the latter is a dicey situation. As I indicated in the thread you cited
from the archives, some people like me almost never provide authentic info
(fact or opinion) while registering and therefore can't possibly remember
when challenged. Unless, of course, it's a vital service, like a bank.

Authentication remains a fundamental issue on the web. But the solution
trends point in a different direction, away from the user's ability to
recall/confirm on the spot. Microsoft is moving towards OS and CPU level
universal GUID with Password/Palladium. Apple has been using Keychain at the
OS level, which some web browser like Safari and Camino can take advantage
of. (I can't remember the last time I had to manually enter a user
name/password.)

The trend here is for the user agent or the OS to store and remember your
passwords so as not to require the user to deal with the issue at all. This
has shortcomings, of course, such as when you try to access from another PC.

I'm citing all this just to underscore the fact that password
authentication/verification doesn't have a simple solution.

Now quick, what's your password for this list? :-)

Ziya
Nullius in Verba