Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What's the solution to this? Phone support? You can add "secret questions", but users will lose those too.


I've never found myself in a situation where I REALLY need to reset a password to a free web service.

I've had to reset school and bank related passwords, which I've done in person or over the phone.

I have reset passwords for free web services, but I could've lived with just making a new account. If I forgot my password, it's because I'm not using it - if it's free and I'm not using it, chances are I don't really care about it.

I've never had to reset my password for free web services I CARE about, because I use them regularly.

What I'm getting at is - do free services really need unverified password resets? If it's a paid service, it's easier to justify the cost of phone support.


If you keep your company's business in a Basecamp account, and you lose the password, what are you going to do? Give up and spend the money for a new Basecamp account?

People forget passwords all the time. Spend some time in an F2k IT department; they have whole teams of people and actual application development projects dedicated to trying to solve this one problem.


Basecamp isn't free, so they can likely devote a few more resources to a slightly more stringent password reset system than, say, icanhascheezburger.com.

What I was trying to put forward for discussion is the idea that if a site can't do password resets "properly" (by phone? or something more secure than the example given in the article) then maybe it shouldn't do it at all, and that this might not be as catastrophic for the user as it seems, since the site is less likely to be essential.

Looking at what I use online:

- all my server stuff: Extremely important, but it's my own problem.

- online banking, bills, etc: Important stuff, not free. I'd be really upset if I got permanently locked out, but all can be reset by phone.

- Digg, Reddit, News.YC, even Facebook: Not important stuff, free. I wouldn't really care if I have to make another account.

- Gmail: This is the only one which doesn't fit. However, I use it daily, so I'm not going to forget my password. On the flip side, if I used it only once a year, it obviously wouldn't be that important to me.

Yeah, I know it's not very realistic, and it's probably not something I'm willing to practice myself. Consider it a thought experiment.


The best solution, rather than changing every website, is for banks to not offer email password resets. Email password resets are ok when you aren't taking something that should be really secure like your bank account and transfering it to email. It seems almost criminally negligent of the bank.


It's unfortunately also criminally convenient.


I recently set up a new savings account and for some reason when the paperwork came through I couldn't recall the password I had used. Getting a new one issued did require a phone call but the questions asked were only the standard things like mothers maiden name, first school etc. These sorts of things are as easy to compromise on the phone as they are online.

On the plus side they only gave me half a password on the phone. The other half was emailed to me.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: