Forum OpenACS Development: Re: Can question/secret answer be removed from password recovery?
So that's one advantage to resetting the password in that fashion, but it has to be weighed against the disadvantages Joel brought up above. The denial of service implications probably never occurred to whoever implemented the current password resetting scheme...
I don't think it makes sense to say, "Most of this security is of limited use because the transaction isn't encrypted". Whether or not the web page is encrypted in transit with SSL is entirely separate from whether the user has logged in yet or not. Remember that depending how the admin as things set up, the login page where the user sends his password may itself not use SSL! All OpenACS pages asking for passwords or secret phrases should follow the same setting, either they all require SSL or none of them do. Of course, making sure there's only one such page may be the simplest way to do that. :)
Whether or not the login page uses SSL is presumably a security choice by the site owner. It should use SSL, yes, but if you're running a site with unimportant user data but lots and lots of users, maybe you'll want to economize on server hardware by not supporting SSL even for the login page. Bad idea IMNSHO, but note that Yahoo and even Ebay both default to non-SSL logins, so insecure login pages seem to be fairly industry standard, if it means saving a few bucks on hardware costs.
All that said, I don't personally have any problem with removing the secret answer/question business, sounds fine to me. I wonder about existing sites out there using OpenACS though, maybe some of them have a requirement for this? I guess if it's taken out for OpenACS 5.0 rather than 4.6.x, and is mentioned in the Change Log for 5.0, that should be good enough. If anyone really really wants to keep a secret question/answer feature they can always forward port it from 4.6, as long as they know about the change.