Solution B

Assumptions

This solution assumes that we re-engineer the challenge question mechanism. Current free-form nature of the challenge question and answer, limits automation. Instead user would need to re-establish answers to a set of fixed challenge questions. This would need to be updated in the registration process. Already registered users will need to be force-prompted to establish answers to the questions one time upon entrance to udeupa. When prompted for a challenge question response, user will be presented with one of their pre-established questions in random order.

Steps

1. User selects "I forgot my password" link on udeupa login page.
2. User prompted for for UID (username), ApuIdNumber, and answer to re-engineered static challenge question.
3. Verify submitted data against LDAP.
4. If passes verification, user may reset password in accordance with the password strength policy.

Questions

1. Should password be reset to random string, or should user be able to reset to new password of their choosing?
2. What are adequate Challenge Questions?