|
SteveW
|
 |
« on: March 27, 2008, 08:29:38 AM » |
|
In this and other forums, it is best to leave blank the Secret Question and Secret Answer in your user profile. The Secret Question feature is provided to "help retrieve a lost password".
However, if you lose your password, you can always obtain a new one by requesting that an email be sent to you. This method requires that you have access to the email account that you registered with, which presumably you do have access to.
If you get your password by answering the Secret Question (instead of by email), it bypasses the email requirement, which means that it could potentially be guessed by someone who does not have access to your email account.
Assuming you are using a strong password that is unguessable (hint, hint!), it would be very difficult for anyone to guess it. However, your Secret Question and Secret Answer are both going to consist of English words and phrases. The questions and answers are relatively predictable, and even if you choose unusual ones, they are vulnerable to a "dictionary attack" where someone (or a robot) runs through the dictionary guessing every possible word and phrase. That sounds very difficult, too, but it's millions of times easier than guessing a good random password.
So in other words, if you use a Secret Question, it makes your password only as strong as your Secret Question and Answer, which are much less strong than a good password. In a way, it almost makes your good password irrelevant.
If you leave the Secret Question blank, it's not presented as an option for getting a lost password, so it's much more difficult for someone to try to log in as you.
I'm not really clear why the SMF forum provides it as an option. Maybe it's a leftover feature from earlier days. At least it is blank by default, which is good.
|
