Originally Posted by
richarddd
What would you use to authenticate? And what would you do if you lose or forget that?
The problem is how to make sure the password reset mechanism is safe. Virtually everything has some method of giving you access if you lose your password (for example, would you want to be permanently locked out of your bank account if you forgot your password).
It's relatively easy to design encryption that can withstand brute force attacks. It's a lot harder to make sure people aren't locked out forever (or inconvenienced to the point of absurdity) and are secure.
I agree with your premise that designing good password reset or recovery systems that strike the balance between ease of use and security is tough. I also agree that with a good salting mechanism, designing a password hashing function that mounts some reasonable defense against modern brute force attacks with GPU-based password crackers isn't *that* conceptually difficult, but for whatever reason, lots of systems fail to do so or do so badly.
I read (here maybe?) that someone recommended creating an email address specifically for user accounts and password resets and only using said email account for these purposes (not for regular correspondence, etc.). Also, maybe naming it something that doesn't identify with you or your name.
The other thing that helps is recognizing what makes a good password in the first place, particularly as it relates to how human memory works. Randall Munroe, who draws XKCD, nails it here:
http://xkcd.com/936/