In the old days, if you forgot a password, it was emailed to an email account. Now, most accounts have implemented these security questions and allow you to reset a password by answering the security questions correctly. The problem with this is that, in most cases, the security questions are too simple. Questions like Where were you born, what is your zip code, what is your pet's name, etc. Questions that anybody may be able to figure out by googling your name - particularly if you are a public figure.
In the news today, it was announced that Gov/VP Nominee Sarah Palin's Yahoo email account was broken into using these security questions (http://www.appscout.com/2008/09/hacking_sarah_palin_what_we_ca.php ). Questions such as birthday, zip code, and where did you meet your spouse. Those questions were answered correctly in less than 45 minutes, and then the perpetrator has access to her account and was able to change the password to something else.
Now an email account is a little different than most other website accounts, as you might not have another email address to send a forgotten password to. However, in no case should simple security questions such as these be the sole means of gaining access to the account. Besides the security questions, there ought to be some secondary means of authentication, or some other way to send a forgotten password - this could be sending a password via text message, or a telephone call to the phone number on the account. Security questions should be used to enhance an existing form of authentication. Using security questions as the only form of authentication is a step backwards in the world of security.
No comments:
Post a Comment