[JJR512]

The "added security" that would allegedly result from making the user select a question from a drop-down box, in addition to having to correctly answer that question, is, in my opinion, not truly any more secure of a system than just having a secret word, as the original form of this hack was, except that now the user has to remember two things, the question and the answer, as opposed to just one, and let's remember, the user is doing this in the first place because he couldn't remember something. The whole point of the question, at least the way I see it, is that it's there to help jog the memory of the user. The way my version works isn't really any different from the way Parker's original version works; the user has to remember one thing, whether it's called a "secret word" or "secret answer". The question serves no practical purpose as far as how this system works is concerned; its sole purpose is to help the user remember what his secret word (or "answer") is.

Quote:

Pretty simple to do. Just use strtolower();

Yes, it was. I knew how to do it; I just had to take the time to do it. I believe I replaced all occurances of md5($secret_a) with md5(strtolower($secret_a)). I will change the attachment in my earlier post with the newer version right after I submit this reply.

I understand what you're saying about having the answer encrypted. This debate as to the value of leaving it in plain text has already taken place, when the vB team switched the password system to use encryption. So believe me, I understand; I've seen it all before. My point of view is this. The user will be using this system because he couldn't remember his password. If he can't remember his password, why should I think he'll have better luck remembering a question that might be meaningless to him personally, and the answer to that as well? This is why I want the user to be able to make up his own question, because it will most likely be something that means something to him. And because the question means something to him, so will the answer, and it won't be something he's likely to forget. For the user to feel comfortable using such a personal question, he needs to feel secure that his answer is secure.

There is no way that this can create "more of a problem" than it is solving. Without this system, if a use forgot his password, he was going to be contacting you for help. This system gives the user a fall-back system to use in case he forgets his password, that potentially allows him to recover from the situation without needing to contact you. If he can't remember his secret answer and can't get in, he's going to contact you. It's not this system is going to make people contact you when they would otherwise have had no reason to do so.

So, like I said, we have choices. Anyone who likes my version can use mine; anyone who likes Parker's version can use his; anyone who likes whatever you might post can use yours; and anyone who wants something else that's slightly different from anything we've done so far can either make it themselves, or suggest it here and maybe one of us will incorporate that suggestion into a new version.