Every social network, every webmail system and every website that requires registration for browsing or using services, has some way to remind passwords to registered members. Some of them simply ask for some kind of ID to send the new password to predefined email address. Some of password reminders are more sophisticated and requires entering mother’s maiden name or the name of kindergarten teacher. Security questions are there to ensure that you and only you can reset the forgotten password or get the old one to your email. But is it impossible to know someone else’s password?
Security expert Herbert Thompson made an experiment and tried to hack into several bank accounts using only information available for everyone on the Internet. Surprisingly for Thompson himself, it only took several minutes to reach “victim’s” money. The researcher revealed that by knowing person’s full name and company she/he works for, he could find more information than he needed: place of birth, ZIP code, pet names, middle name, etc. He used the gathered information to reset password on bank account and then to reset the password on email account.
Although scammers don’t use the research strategy for stealing money it’s scary how many personal information is shared online and how insecure “Forgot your password?” function is. Thompson encourages using more complicated security questions on bank systems and other websites, but the task is not simple. If the question is too easy, many people can quest it; but if the question is too complicated, the answer is difficult to memorize as well.
October 31st, 2008 at 9:01 am
[...] messages; otherwise it will only take one guy with average knowledge to check your mail for you. “Forgot your password?” link is also known for questionable security measures. Do not use web email system if it can be accessed by anyone who knows your ZIP code and the name [...]