Forum Account Recovery

I'm looking for your opinions on what you'd rather see for account recovery. Say you forget your password for your Sythe account, how would you rather recover it?

1. Go to a page on the forum, enter my username and answer 3 security questions that I made during registration.
2. Go to a page on the forum, enter my username and answer 5 security questions that I made during registration.
3. Go to a page on the forum, enter my username and enter a pin that I made during registration.
4. Other option (please post it below).

This has nothing to do with Sythe, but for an upcoming project that I'm working on. Just want to know what you guys think is the most secure way. Obviously having many security questions is the most secure way, but it may be annoying and/or hard to remember them all.

Note: This is instead of the usual e-mail recovery method.

 

Option 3 is what seems the most secure in the sense that it cannot be guessed.

 

I'll tell you right now that I have no clue what security sentence I used upon registering this account...if any.
I think that's the problem with this system.

However I do not have another system in mind.

 

Well I'm also looking for other ideas. I want to figure out the most secure way, yet a way where people remember what they put.

 

I think the best way is to actually have option 1 and 3 mixed. I say 3 questions and a Pin. The pin can only be reset upon admins approval. So if I forgot my pin or questions, I would have to post in the dispute forum and get an admin to verify that the IP's match to make sure it is really you. If the admin feels that IP verification is not enough, he may ask the user a few questions about his or her acc. The questions would be answers and if like 2/3 are correct, you would be asked to enter ur pin, once that is answered u can recover ur acc. Dialatic - I am glad that someone is actually doing something to fix this. After my "send an email from the verified email to recover the acc" suggestion got closed, I lost faith in a good recovery process. I'm glad you are doing this!

 

2/3 of you think that a pin would be better? You think you would remember that over personal questions?

This is not for Sythe.

 

Option 3, as security questions can be social engineered.

 

Despite the social engineering who would really remember their unique pin? Some would write it down and lose it. Others may write it digitally but then if they get a RAT etc it could get bad also. If one was implemented there would definitely need to be like "get it wrong so many times and you get frozen out for x minutes" to prevent bots guessing it, etc

 

I would ;(

 

I think maybe having one security question, a PIN, as well as having of course to reset through email aswell would be very secure IMO. Only idiots would lose their accounts.

 

Having that much information would be secure, yes. But it would also be a hassle for users to remember.

Still looking for ideas!

 

A pin is more easy to remember when three questions.

 

How about 5 security questions AND the pin?

 

I'd say a PIN number. They're easier to remember than security questions or phrases, I don't know what my recovery questions are on Runescape nor do I remember any security phrases on Sythe... Hell, I don't even know the e-mail address I used to sign up to Sythe... PIN numbers are used in daily situations, making it the same as your work PIN number or card PIN number would make it memorable - for example, my RS PIN is the same as my college PIN.

 

I have a four digit pin that I use for everything, so a pin would probably be the most convenient for me

But if the server got hacked and somebody figured out my pin, I'd have a problem bigger than a simple community accunt hacking to deal with...

 

I think many people would forget their pin number or security question answers. When I sign up for a website that I don't expect to use often, I type in random stuff for the questions. I didn't expect to use Sythe when I signed up either. I say lets leave it with the emails, however not permit hotmails.

 

Option three is pretty good, the security options don't work well because people can easily manipulate others into retrieving their security questions.

i.e; "where do you live" someone can easily find that out by asking the user.

 

3 questions and a pin, as long as the pin isn't hashed on your end. It needs a stronger algorithm for something short and numerical

 

I don't understand how everybody thinks it'll be hard to remember their 4 digit pin. Every debit card user knows their 4 digit pin and there are a whole lot of debit card users. It's not hard to remember at all and it's a lot safer than security questions.

So in short, option 3.

 

I like option 3 the best