Matching partial strings for password recovering

Question

I'm trying to think of a regular expression for this but not having any luck..

Let's say you have a security question on you website so the person can recover a password. People often forget exactly how they entered information. For example, given the question "What company do you work for?", a user might answer "Microsoft Corp.". But a month later when they are prompted to answer this question, they might type in "Microsoft", which wouldn't match their original answer even though they clearly answered correctly.

"Microsoft Corp." or "Microsoft Inc." or "Microsoft Co." would match "Microsoft", and "questar gas" would match "Questar Gas Co.". "Bank Corp. of America" would NOT match "Bank of America" because the word "Corp." is not at the end of the string.

What is the best way to accomplish this?

Answer 1

To be honest, I think one of the better ways to accomplish this is to restrict the user's input; instead of accepting "Microsoft Corp.", simply allow the user to input one word (i.e. "Microsoft") and remind them when asking them for the password retrieval information that it was just one word. This is one of those situations where I think the best solution is to restrict the input.

Answer 2

Provide two security questions instead of just one. I'd rather prefer to give the user many options than being flexible with security.

Thinking loud: Also you might show a warning saying something like "This answer will be prompted if you forget your password and you'll have to write it exactly the same way" if the string has too many spaces or punctuation symbols ;)

Answer 3

Regex matching is probably not the best way. I say you probably want to use a "string distance" algorithm, like Levenshtein or Jaro-Winkler to decide how close the user's input is to the expected one.

Though, to address Victor's point about not being too flexible, make sure to require a very high matching threshold.

Answer 4

This is a common computer science problem.

You should read an article on string distance, e.g. Levenshtein distance and then decide how (and if) you should implement a solution.

Answer 5

I wouldn't worry too much about people changing their answers. People are remarkably consistant in how they answer these kinds of questions. If I know your first job was at Microsoft, the fact that I type it slightly differently may suggest that I'm an attacker.

Avoid placing plaintext answers in your database. This is similar to storing plaintext passwords, which is definately a bad idea. If your database, or a backup of the database, gets out of your control, then you have a leak of your client's private information. Maybe it won't fall into the wrong hands, but think of the email you'll have to send to your users. "Change all the sites where you answered this question the same way."

Instead, take the salted hash of the answer, and store that in the database. When the user answers the question later, use the same algorithm to hash their answer, and compare to the stored value.

You can use some normalization to minimize the effect of typos. You could convert to lowercase, and remove spaces and punctuation. For example, "Microsoft Corp." would become "microsoftcorp". That way, if a user decides to leave off the period or add another space, it would still match.

Answer 6

Just to give a different perspective, I think a secret question/answer pair defeats the purpose of a password - they are much easier to guess by an attacker.

The alternative is to allow password reset and email the reseted password to the user. That way, you are delegating the security of your app to the security of their email/password combination should they forget their password.