"Security question answers" are akin to auxiliary passwords, which users will not use on a daily basis. Remembering a password that you almost never type is hard. Requiring exact case is likely to make the user fail to answer properly.
On a theoretical point of view, a "security question" is already a huge weakness, which you tolerate because some users will forget their password, and you want to handle that case with as much automation as possible, and not asking any security question would be even worse security-wise. Hence, the added value of security questions is that they allow a not-totally-open password reset process which can nonetheless be conducted automatically, i.e. at minimal cost for the server. Case sensitivity would probably remove much of that value. Actually, I would even recommend normalization by suppressing whitespace, punctuation and accents.
Answer from Thomas Pornin on Stack Exchange"Security question answers" are akin to auxiliary passwords, which users will not use on a daily basis. Remembering a password that you almost never type is hard. Requiring exact case is likely to make the user fail to answer properly.
On a theoretical point of view, a "security question" is already a huge weakness, which you tolerate because some users will forget their password, and you want to handle that case with as much automation as possible, and not asking any security question would be even worse security-wise. Hence, the added value of security questions is that they allow a not-totally-open password reset process which can nonetheless be conducted automatically, i.e. at minimal cost for the server. Case sensitivity would probably remove much of that value. Actually, I would even recommend normalization by suppressing whitespace, punctuation and accents.
Security questions are basically another password. Ideally it should thus have the same properties as a password i.e. reasonable length (greater than 8 characters) being the most important to defend against guessing and bruteforce.
This research study was posted here in a previous question: https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxyZXVzYWJsZXNlY3xneDozNDcwNDhmMmE2MmJiMDkw
Its conclusions are that complexity is not that important against an online entry. Thus if you check for basic dictionary words, username etc, have sufficient length and implement an account lockout or exponential backoff, there is no significant benefit in also requiring complexity.
Of course the best would be to eliminate secret questions and add an out of band password reset method such as SMS one time password or even email one time password / link. Or stop managing passwords altogether and support an OAuth (e.g. Facebook connect) or Open-ID (Google etc) based method of authentication.
Hello all,
So like the title says I have forgotten the password to my laptop. I believe I changed the password over a year ago and never really used it ( just the pin and fingerprint) and clearly picked something irregular. In turn, the three security questions I cant seem to get the answers right (although I know what they should be), at least one is wrong and im not sure if they are case sensitive but a quick google search suggests no. I can still log in easy enough because I have my fingerprint and pin access but I dont want to wait around for the laptop to require a password log in.
There is a microsoft account attached to the computer but resetting the microsoft account password (which I knew anyway) has no effect on the computer password (I assume it is a local account).
Additional notes:
The laptop used to use windows 10 operating system but I upgraded it to windows 11 recently.
I have seen two possible ways of fixing this issue on the internet so far but they seem kind of dodgy so I have avoided them.
Below is the link to the first one (although the comments suggest if your device has encryption on it it will not work, so I turned off encryption in the settings but BitLocker encryption might still be active, not sure).
www.youtube.com/watch?v=0gOZoroPNuA&ab_channel=Britec09
The second option I have seen is creating a second administrator account and using that to change the password on this account but that seems surprising that that would work.
I do not have a password reset disk.
If I go into settings < accounts < sign-in options < password, i can try passwords over and over again with little fus. I can also go to the sign in screen and try the security questions over and over.
From my searches so far it looks like im kinda bonned though i think but thought id ask.
Edit:
Removed some information.
Solved. I ended up doing the following to change my password. Open cmd as administrator (being already logged in with pin/fingerprint obviously). Type in 'net user'. This identifies all the accounts on your computer: "Administrator, UserName, Guest, etc". Once you identify your account (whatever UserName is) you can type in 'net user UserName *' and will be prompted to type and retype a new password for the user.
Before I logged out I changed my security questions which in windows 11 can be found by typing "ms-cxh://setsqsalocalonly" into the run command and typing in your new password. I also created a 'physical password reset disk' using a usb.
Got a bit stressed when my fingerprint and pin number stopped working within windows (checked by trying to look at my passwords in my browser which prompts you to sign-in with one). However, this was because I had changed the password and hadnt logged back in yet. I have now logged in and out several times and checked fingerprint and pin number are working properly to log in as well.
In case of SQL Server:
string query = "select count(*) from login where userid=@userid and password=@Lee collate Latin1_General_CS_AS";
If this is a web application, MessageBox.Show() only shows on the server. It seems to work in development because your development machine is both the client and the server.