Alice forgets her password. She goes to the system administrator’s office, and the admin resets her password and gives Alice the new password.
a. Why does the SA reset the password instead of giving Alice her previous (forgotten) password?
b.Why should Alice re-reset her password immediately after the SA has reset it?
c. Suppose that after the SA resets Alice’s password, she remembers her previous password. Alice likes her old password, so she resets it to its previous value. Would it be possible for the SA to determine that Alice has chosen the same password as before? Why or why not?
Many websites require users to register before they can access information or services. Suppose that you register at such a website, but when you return later you’ve forgotten your password. The website then asks you to enter your email address, which you do. Later, you receive your original password via email.
a. Discuss several security concerns with this approach to dealing with forgotten passwords.
b. The correct way to deal with passwords is to store salted hashes of passwords. Does this website use the correct approach? Justify your answer.