Archive for September, 2008

I don’t like the security questions that many sites ask you for. You know, like, “What is your mother’s maiden name,” or, “Where did you go to high school?” My position is that this is just replacing a strong password with a weak one. The answer to the security question is very likely to be a relatively weak password–in other words, short, made up of English words, not containing any letters or numbers, and so forth. If you can reset my strong password by guessing a weak one, then you have encouraged me to circumvent my strong password. Additionally, the type of info that the security question asks for (Mother’s maiden name, High School, etc…) is more likely to be publicly available on the Internet, making a brute force attack unnecessary.

Anyway, so you might have heard that Sarah Palin’s Yahoo email acount got hacked. How did they do it? Password reset. The used her birthdate, zip code, and the answer to her security question, which was, “Where did you meet your spouse?” (Answer: Wassila High) All of that info is publicly available.

Fuck you Fake Security.

Do what I do: choose a strong password. Keep it safe. When the site asks you for a security question, input your password as the answer. Now your security question is just as strong as your actual login. And if you lose the password? Well, just don’t. Or, the alternative is to use an easy password and accept that your account might get hacked. It probably won’t, but if you’re the governor of Alaska, maybe you shouldn’t take that chance.