It's common for sites for which you must provide logon credentials to let you set a "security question" that they may ask you in case you forgot your password. An entry on the Securiteam blog challenges the security of this system, at least as it is implemented in many ways.
The gist of the challenge is that it's easy to research many of the answers to the stock questions services ask. The blog looks at Windows Live Mail, Yahoo! Mail and GMail. Of those 3 only GMail allows you to define your own question, presumably one harder to research (e.g. "What girl did I have a secret crush on in 8th grade?")
The blog also makes the obvious suggestion that you can lie; take an easy question, like "What is your father's middle name?" and make the answer your phone number. There is a hole in this theory: if you can't remember your own user name and password, why would you expect to remember the inaccurate answer you provided to one of these questions?
Still, they make a good point that you need to be careful in choosing a security question. Too easy an answer and a stranger (or, easier, someone who knows you) can steal the account away.
No comments:
Post a Comment