Password recovery questions are great to recover a forgotten password in a matter of seconds. All that needs to be done is to answer the password recovery question to receive a new password in the email inbox. This does however make email hacking a profitable business as email accounts are usually connected to online stores and other web services. Attackers with access to a compromised email account only need to answer the secret question to retrieve the password of the web account. This matter is definitely more secure than sending out the password without confirmation on the user’s request.
A recent study shows on the other hand that password recovery questions are usually answered honestly. Questions about the birth town, mother’s maiden name or first animal name can sometimes be easily guesses. The study asked acquaintances of 32 webmail users to guess the answer to the secret question. Roughly 20% of these answers were guessed correctly.
Password recovery questions should therefor not be answered honestly. Experienced users fill them out with password like characters which makes the answers more or less impossible to guess. These answers can then be stored in password managers as notes.
How do you handle password recovery questions?
Related posts:
Jabbits Ask Questions Get AnswersAardvark Combines Yahoo Answers With Instant Messaging
Outlook Express Password Recovery
Introduction Series Part 3: User Name and Password Protection
Password Recovery Speeds
Questions from your girlfriend that are not real questions
Password Recovery Software PicoZip
Distributed Password Recovery using Geforce 8 Video Cards
10 Responses to “Password Recovery Questions Make Online Accounts Vulnerable”
Trackbacks/Pingbacks
-
[...] Vía: Ghacks [...]
I have an answer that has nothing to do with the security question.
It’s not likely any one could figure out the answer to any question,
when the answer is totally unrelated to the question or any question.
But I also try not to confuse myself as well, :)
About time someone saw sense on this matter. Banks are even worse than websites. These days I lose my temper when they ask for my mother’s maiden name as a security marker – half the financial institutions on this planet (and their staff) must have that info by now – as a security device it gets 1/10.
But – as a more sensible bank employee assured me – the answer doesn’t of course need to be literally correct. You can say your mother’s name was Chewbacca just as long as you remember that.
But that still doesn’t, of course, address the issue that a large proportion of the security problem originates from WITHIN banks and financial institutions where – I am MOST reliably informed – the standards of internal security are often laughable.
The answer to all my password recovery question is: sakljg;aghjk’sl;ksfhgait
q4\=q3i5
I keep all my passwords in one master encrypted spreadsheet stored on a detached Ironkey USB drive.
A useful tip is think that you are ANOTHER person. Then the answer would be honest, but not for YOU… ;-)
The last password recovery question I encountered was the name of my pet : I admit I never had a pet named: $WSo,)EEI4KMy_#YUS\wUba-Bd9+a62(
Poor cat!
Yeah, to be honest a lot of the questions are things like
“what’s your mother’s maiden name?”
“what’s your first pet’s name?”
“in what town was your high school?”
This is all stuff that people close to me would know, particularly family members and as you can pick your friends, not your family…. I would trust my family the least out of anyone!
If you have a password manager that you are storing answers to recovery questions in, wouldn’t you already have the forgotten password in the manager as well?
Regardless, one of my greatest pet peeves about password recovery questions is the use of subjective questions. “What’s your favorite movie” will probably be different 3 years from now when I forget my password and need to recover it. They should be more concrete like “What city was your father born in?” That will never change.
So anyway, I *love* the idea of putting an answer completely unrelated to the question. That’s brilliant. Thanks for the suggestion.
True indeed. This leads me to an idea to use the same string for the answer as for password itself and of course, for the worst case, have the password backed up in KeePass/alternative. Will start implementing that as of now since forced question-answer measures are a serious vulnerability, all the more if you’re not offered a more “safe” question. IMHO asking for mother’s maiden name is one of the stupidest options, literally anyone can find out, possibly even using the Net/social networks.
Thanks for the tips
I always choose custom questions and put in them things that nobody else can know.