Sunday, September 7, 2008

“Forgot your password” links: Backdoor for Hackers

"Forgot your password?" features provide businesses and site owners a simple way to reset a forgotten password, provided he can verify his credentials by asking a few personal questions that should only be known to the rightful user. For years the typical question was, of course, the "Mother's maiden name" challenge. In recent years, additional challenges have emerged, such as asking the street you grew up on, your favorite pet, and grandparents' first names.

The question is whether are they all really secured? They were safe decades ago but not in this internet era, where abundant of information keep pouring in, your personal information drawn from your past is now widely available for public consumption. There's no statistical data to support this but there are isolated cases reported and even Paris Hilton is said to have fallen prey to the "what is your dog's name?" password reset hack. You may visit this great article on how it's done if you seek more proof.

The solution is clear; don't use data that can be easily guessed or easily discovered. You may twist the data a little (example: 1Hannah1 is the answer for "your mother's maiden name" question though the real one is Hannah or use completely different set of answers for those questions). Make sure to keep them written down and put in the safe place.

No comments: