Dare Obasanjo on the hacking of Sarah Palin's Yahoo! account via the "forgot my password" feature.
The fundamental flaw of pretty much every password recovery feature I've found online is that what they consider "secret" information actually isn't thanks to social networking, blogs and even Wikipedia. Yahoo! Mail password recovery relies on asking you your date of birth, zip code and country of residence as a proof of identity. Considering that this is the kind of information that is on the average Facebook profile or MySpace page, it seems ludicrous that this is all that stops someone from stealing your identity online.
I've always wondered how this became accepted practice. For decades we've warned people not to use easily guessable passwords—dates of birth, names of children or pets—but somehow this is acceptable for password recovery?
The fundamental paradox of password recovery is that the recovery channel must be at least as secure as the original password, because ultimately that's what it is: an alternative to your password. And since you'll be using the recovery far less often than you might use the password, your chance of remembering any secret with even password-grade security when you finally get around to needing it has to be pretty slim.
(For the record, I always leave recovery questions blank, or if forced I come up with something random then immediately forget it.)
I wrote a guide to password recovery back in 2002 that might still be worth a read.
I've got another answer - I lie. Not for my public stuff, but for my password recovery questions.
But then you have those sites--typically banking--that have you to answer these sorts of questions *in addition* to your password.
Word to the wise: don't use that technique on the Medicare website. Unless you enjoy pain.
Great document on password recovery! How's about adding this for a way to improve the email approach:
- The user fills in a form requesting password recovery, and supplies a new one-time temporary password.
- An email is sent to the user's registered address with a one-time link to the site (but without the temporary password).
- Clicking the link takes the user to a special form requesting the temporary password.
- If that is entered successfully, the user is considered as authenticated and must enter a new password.
The site is of course secure, so no passwords are ever transmitted either way as plain text. The one-time password and link can be made to expire if desired.I completely agree! I've often wondered to myself while filling those silly things out, "Now why couldn't someone just look up what my Elementary school's mascot was?"
Seriously, though.
Steven Kelly - great idea. I hope it becomes the new trend. :)