Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I spent a week consulting for a small education software start-up and was horrified when I saw that their password reset process was the following:

1. An anonymous person sends a message via Google Chat to the support Gmail address.

2. A staff member would ask the anonymous person for the username of the account for which to reset the password.

3. The anonymous person would present the username.

4. The staff member would reset the password and create a temporary password and would then give that anonymous person the password. The staff member would then explain how to change the password once the anonymous person had logged in with the temporary password.

I spent too long trying to explain to the staff and the CEO why it was a problem that any person could gain access to any account...



I'm a teacher in the UK. Educational systems range from the ridiculous like the one you mention to the ones who take it very seriously.

One employer some time ago would only do password reset if you turned up in person with photo ID. That organisation had quite a lot of students spread over a number of sites so it was labour intensive - the library staff used to be able to reset passwords and they had access to the student and staff badge photos. IT staff at a University I taught at for a year would only reset password if you went on a conference call with a manager level staff member who could confirm recognising your voice.

For a general access Web site available nationally and not tied to an institution I imagine you would have to fall back to the usual email reset code with challenge question type systems.


If what you are saying is true; did they store the passwords in plain text as well?


It wasn't a YCombinator startup, was it?


I doubt he's allowed to share that information (whether it is, or isn't), and you shouldn't tempt him to, either.


No, it was not.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: