|The stupid question is the question not asked
Re^3: Requiring old password in order to change your passwordby Xilman (Hermit)
|on Jan 02, 2011 at 22:03 UTC
I wasn't planning on implementing the annoying multiple "What was the mascot of the first car where your favorite pet's maiden name's favorite sport first met their favorite superhero?" questions.
I wasn't suggesting you should. My suggestion is that you keep two other items on file: a string chosen by the user which is displayed on the account recovery page and another string which is compared against what the user enters after the first string is displayed. The first string would most likely be a question but need not. If I want my question to be "What is your mother's maiden name?" then it's my choice to have a response which is probably easily guessable. If my first statement is "The universe is" and the expected response is "purely 42itous" then, again, it's my choice to have something which I may be unlikely to remember five years later. It makes no difference to you whether either or both strings are meaningful and/or relevant, all you have to do is display one and check the other.
I hope this clarifies my proposal.