The fundamental flaw of pretty much every password recovery feature I've found online is that what they consider "secret" information actually isn't thanks to social networking, blogs and even Wikipedia. Yahoo! Mail password recovery relies on asking you your date of birth, zip code and country of residence as a proof of identity. Considering that this is the kind of information that is on the average Facebook profile or MySpace page, it seems ludicrous that this is all that stops someone from stealing your identity online.
Even the sites that try to be secure by asking more personal questions such as "the name of your childhood pet" or "where you met your spouse" fail because people often write about their childhood pets and and tell stories about how they met http://search.live.com/results.aspx?q=wedding+"how+we+met"&go=&form=QBRE on weddings sites all over the Web.
Web developers need start considering whether it isn't time to put password recovery features based on asking personal questions to pasture. I wonder how many more high profile account hijackings it will take before this becomes as abhorred a practice as emailing users their forgotten passwords (you know why this is wrong right?)
I think the point thsat aircorpa was making was that if Sarah Palin had said she'd gone to Bannana Sponge Hat 3456 High School and that she'd met her huband at 45$% Fght qwerty poiuyt Street it wouldn't matter what anyone read about her in Wikipedia or elsewhere the passwords wouldn't be found there. When hotmail etc asks you your favourite colour and you answer Tuesday it isn't going to tell you that Tuesday isn't a colour - but you'll have to remember the answer you've givenPerhaps Im thinking about it too hard...
But the original article concerned the "forget your password feature" or "password recovery feature". So it doesnt matter how secure your password is if someelse can utilise the fyp feature and "recover" it.
Here is an excerpt from the hacker who used this to get into Sarah Palin's yahoo account.
btw does anyone know why the practice of emailing users their forgotten passwords is wrong/abhorred?
aj
I think the point thsat aircorpa was making was that if Sarah Palin had said she'd gone to Bannana Sponge Hat 3456 High School and that she'd met her huband at 45$% Fght qwerty poiuyt Street it wouldn't matter what anyone read about her in Wikipedia or elsewhere the passwords wouldn't be found there. When hotmail etc asks you your favourite colour and you answer Tuesday it isn't going to tell you that Tuesday isn't a colour - but you'll have to remember the answer you've given
Do you not have to remember the fake answers you gave? - if you can remember these, then surely you can remember your password. In other words, you are back to square one.Maybe I'm not explaining myself very well. If you make up the answers, with fake answers, no one can look them up because they aren't real.
Do you not have to remember the fake answers you gave? - if you can remember these, then surely you can remember your password. In other words, you are back to square one.
does anyone know why the practice of emailing users their forgotten passwords is wrong/abhorred?
But if you use fake information then should you want to use the recover password option it is un likely that you would remember your fake answers.
Some sites allow you set your own secruity question. This form of password recovery is a little more rubust than they Pailin example.
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?