Ask better password questions
By asking better password reset questions, you'll keep passwords more secure I just love how many Web sites take my complex, hard-to-guess password and make it as easy to crack as guessing my favorite color or the city of my birth. It seems nearly every Web site comes with user-accessible, self-service, password reset questions, and nearly all of those same sites make resetting or obtaining my password magnitude
Follow @rogeragrimesBy asking better password reset questions, you'll keep passwords more secure
I just love how many Web sites take my complex, hard-to-guess password and make it as easy to crack as guessing my favorite color or the city of my birth. It seems nearly every Web site comes with user-accessible, self-service, password reset questions, and nearly all of those same sites make resetting or obtaining my password magnitudes easier than actually knowing my correct password. Thanks.
I can understand why Web sites want a user-based, self-service, password reset feature. Users who forget or mistype their passwords comprise one of the most frequent support requests. I've read many studies that place the cost of each help desk password reset assistance call at $60 to $90. I don't mind the self-service part; it's the incredible weakening of security that bothers me.
Most Web sites put forth a handful or two of weak questions that you must use. The Web site administrators think that the questions are personal enough that only the person who answered them would know the correct answers. The problem is that the questions are often information that is known by lots of people, or they contain information that can be found by searching on the Internet.
For example, one common question is, "Your birthplace city?" I mean, how many people know that besides the account holder? Well, how about that person's close friends, family members, spouse, old boyfriend or girlfriend, and anyone who has ever viewed any credit card application you've ever filled out? And let's not mention all the databases you can search online to find out the birthplace of any person.
How about being asked to fill in your mother's maiden name? Again, you can point to the same suspects as in the previous question, but now add genealogy databases to the mix. Another favorite weak question is, "Your favorite pet's name?" First off, dogs are the most popular pets, and you'd be surprised about how common most dogs' names are. Mark Burnett's book on passwords, Perfect Passwords, has a list of the most common dog names. I was surprised to see my own dog's name, Abby, on the list. Mark's book also lists the most common colors, cities (that is, birthplace cities), and hobbies.
If a Web site under your control has one of these password reset features that use self-service, weak security questions, make sure the questions are truly capable of being known by only one person. Assume that the person's closest loved one ends up being their worst enemy and is motivated to break into their account.
