User forgot password alternative approach in spring

Question

I wanted to allow having a security question for users. I am using Spring3 and was not sure if there exists a standard way of doing this. Can anyone point me to such standard it at all it exists?

Answer 1

I'm not familiar with a standard that covers this, but I would recommend that you treat the security questions just like you would the password...

• Make sure that you turn autocomplete="off" so that the browser won't remember their answer

• Generate a salted hash for the answer (or you could reuse the one for their password)

   public byte[] generateSalt() throws NoSuchAlgorithmException { // VERY important to use SecureRandom instead of just Random SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG"); // Generate a 8 byte (64 bit) salt as recommended by RSA PKCS5 byte[] salt = new byte[8]; secureRandom.nextBytes(salt); return salt; } 

• Encrypt the answer

   public static byte[] getEncryptedAnswer(String answer, byte[] salt) throws NoSuchAlgorithmException, InvalidKeySpecException { KeySpec spec = new PBEKeySpec(answer.toCharArray(), salt, 20000, 160); SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); return secretKeyFactory.generateSecret(spec).getEncoded(); } 

Store both the salted hash and the encrypted answer. At this point you're pretty much using the answer to this question just like a password.

---

Now with all that said, I have to agree with jHilscher... Too many of these security questions are predictable or easy to guess. Favorite color, year they graduated, etc... I never answer these questions with the correct information. I recommend that you find a different way to reset the password when needed.