September 18, 2008Guarding Passwords with Sieves
I've written before about the faults of so-called "security questions" that are parts of some login credentials. These questions are intended to offer a way for the site to "assure" that anyone trying to do something sticky with the account (e.g., resetting passwords or retrieving lost passwords) is the user ID's owner. The problem, however, is that such questions are all too often very simple things about favorite such-and-such, city of birth, or similar twaddle that are likely to be data that socially-minded Web 2.0 users have posted to dozens of web pages.
Such, apparently, was the case of Vice Presidential nominee, Sarah Palin, whose Yahoo email account was reportedly cracked this week. If we can believe the self-confessed cracker's own account, all it took was a little bit of Googling to answer successfully the three challenge questions (one of which could have had a lot of possible combinations in the answer).
Certainly, the target in this case was a potentially juicy one. But even if you're not in the public eye, your login credentials to a variety of accounts could be of substantial value—if not directly monetarily, then for possible leaks of inside corporate information or even offhand comments in email that could get you fired or worse.
When I'm faced with a choice of security questions, I aim for the one whose answer is the least-possibly guessed by an internet troll. At the same time, however, I have to pick one whose answer I will not forget. Sometimes the choices are so limited, it's damned impossible to be opaque.
I'd much rather be allowed to create my own security question because there are people I've known, places I've been, things I've seen for which no internet trail exists—yet those things are so ingrained in my life's memory that I'll always remember them. They're just not important enough to others for me to broadcast in my blog or trumpet on a Facebook page.Posted on September 18, 2008 at 04:34 PM