simple security

When users forget their password for a particular web service they are usually challenged with a question, the answer to which only they themselves would know. This establishes the fact that this is infact the same user who signed up for the service. Once the user enters a satisfactory answer, they are allowed to proceed and reset their password. On certain websites, the users themselves are responsible for setting up a challenge question. Sometimes while signing up for a new service the user is asked to enter a password hint. This hint would be shown when the user clicks on the 'forgot password' link when they forget their password.

Now, I have seen instances when the user uses a very simplistic password. For example, people set the password as their favorite color and the hint they setup to remind them of the password is 'your favorite color'. Just think about this. If someone wants to access your account without your permission and they click on the 'forget password' link, they would be shown your hint and asked to answer the question. In the above-mentioned example the unauthorized user would just have to enter different color names - red, blue, green etc and would hit upon your password in just a few tries.

Passwords and password hints are meant to be used for authorized access. Dont ever use a password hint that consists of a finite set (Eg. favorite color or make of car). Password should be atleast 8 or more characters consisting of a combination of upper-lower alphabets and atleast 2 numbers (Eg. 4U2reZtiq). The challenge question or the password hint has to be equally cryptic. As a user you would instantly recognize it, but to some unauthorized user it would just seem meaningless.