Editing Password (section)

===Procedures for changing passwords===

{{Main|Self-service password reset}}

Usually, a system must provide a way to change a password, either because a user believes the current password has been (or might have been) compromised, or as a precautionary measure. If a new password is passed to the system in unencrypted form, security can be lost (e.g., via [[Telephone tapping|wiretapping]]) before the new password can even be installed in the password [[database]] and if the new password is given to a compromised employee, little is gained. Some websites include the user-selected password in an [[Plain text|unencrypted]] confirmation e-mail message, with the obvious increased vulnerability.

[[Identity management]] systems are increasingly used to automate the issuance of replacements for lost passwords, a feature called [[self-service password reset]]. The user's identity is verified by asking questions and comparing the answers to ones previously stored (i.e., when the account was opened).

Some password reset questions ask for personal information that could be found on social media, such as mother's maiden name. As a result, some security experts recommend either making up one's own questions or giving false answers.<ref>{{cite web |url=http://www.techlicious.com/tip/why-you-should-lie-when-setting-up-password-security-questions/ |title=Why You Should Lie When Setting Up Password Security Questions |publisher=Techlicious |date=8 March 2013 |access-date=16 October 2013 |url-status=live |archive-url=https://web.archive.org/web/20131023045034/http://www.techlicious.com/tip/why-you-should-lie-when-setting-up-password-security-questions/ |archive-date=23 October 2013 }}</ref>