xpgeek
06-04-2006, 12:37 PM
I saw this post on neowin forums this morning :
This is just one of those coincidents that can happen. A journalist from norways biggest online newspaper, www.vg.no, logged into someone elses gmail account. Without even knowing it. It started with him logging on to the wrong site, google accounts, instead of his gmail account. And when he did this, he thought that he created the new email account. He got a message that he had the wrong password, and clicked through the forgotten password wizard. He was asked the question, "what is you're fathers middle name?" And he got it right!! Because he actually had a father with that middle name. At the time he did not know that he was on the wrong account. And now he suddenly had access to the other mans account. Very freaky indeed.
Which made me reply with :
Which is why people need to learn to set better secret questions.
This is a security issue unfortunately not discussed very often, but I tell people all the time NEVER use your mothers maiden name, pets name, anything like that, as your secret question. It should be a question and answer that NO ONE but you could possibly ever know. Or I tell people, use the standard question, like pets name, and then think of something completely different that this question makes you think of, which gives you an answer no one could ever possibly guess or find out.
This really is a pretty big security issue, that I hardly EVER really see discussed anywhere. So many times I've heard the storys of people having their hotmail, or whatever, account hacked, and being told, they guessed your secret question. That really is the easiest way to do it.
Just think about how easy it is today to find the answer to an easy secret question. Mothers maiden name, pets name, I, or anyone, could probly find the answer to that with a half hour of Googling the persons real name or screen name.
I myself have failed to really post an article about this issue ever before, but I warn people I know constantly to be aware of the quality of their secret questions. To use your mothers maiden name, pets name, city of birth, anything like that, which is easily discovered information in todays connected world, is extremely unwise.
You can have the most complex uncrackable password of all time, but if your secret question can be answered by anyone with ten minutes of Googling, why bother having a password at all I say.
ALWAYS actually think about the answer you're supplying for your secret question I tell people. If its a simple one, go change it. Make it something easy to remember, but something ONLY YOU could possibly know. Alot of sites that allow the setting of secret questions for forgotten passwords now allow the creation of a custom question to be asked too. And if it doesn't, don't answer the question directly, think about something completely off topic from what the question asks for, something this question makes you think of, or something related to it but something so far in your past no one but you could possibly know this answer or ever find it online somewhere.
I'll go as far, when talking about mine, to say my secret question is pets name, but the answer is something from my early childhood, that wasn't even my pet, or even a pet at all really, but something embedded in my memory forever. NO ONE but me could possibly ever know the answer but me.
This is just one of those coincidents that can happen. A journalist from norways biggest online newspaper, www.vg.no, logged into someone elses gmail account. Without even knowing it. It started with him logging on to the wrong site, google accounts, instead of his gmail account. And when he did this, he thought that he created the new email account. He got a message that he had the wrong password, and clicked through the forgotten password wizard. He was asked the question, "what is you're fathers middle name?" And he got it right!! Because he actually had a father with that middle name. At the time he did not know that he was on the wrong account. And now he suddenly had access to the other mans account. Very freaky indeed.
Which made me reply with :
Which is why people need to learn to set better secret questions.
This is a security issue unfortunately not discussed very often, but I tell people all the time NEVER use your mothers maiden name, pets name, anything like that, as your secret question. It should be a question and answer that NO ONE but you could possibly ever know. Or I tell people, use the standard question, like pets name, and then think of something completely different that this question makes you think of, which gives you an answer no one could ever possibly guess or find out.
This really is a pretty big security issue, that I hardly EVER really see discussed anywhere. So many times I've heard the storys of people having their hotmail, or whatever, account hacked, and being told, they guessed your secret question. That really is the easiest way to do it.
Just think about how easy it is today to find the answer to an easy secret question. Mothers maiden name, pets name, I, or anyone, could probly find the answer to that with a half hour of Googling the persons real name or screen name.
I myself have failed to really post an article about this issue ever before, but I warn people I know constantly to be aware of the quality of their secret questions. To use your mothers maiden name, pets name, city of birth, anything like that, which is easily discovered information in todays connected world, is extremely unwise.
You can have the most complex uncrackable password of all time, but if your secret question can be answered by anyone with ten minutes of Googling, why bother having a password at all I say.
ALWAYS actually think about the answer you're supplying for your secret question I tell people. If its a simple one, go change it. Make it something easy to remember, but something ONLY YOU could possibly know. Alot of sites that allow the setting of secret questions for forgotten passwords now allow the creation of a custom question to be asked too. And if it doesn't, don't answer the question directly, think about something completely off topic from what the question asks for, something this question makes you think of, or something related to it but something so far in your past no one but you could possibly know this answer or ever find it online somewhere.
I'll go as far, when talking about mine, to say my secret question is pets name, but the answer is something from my early childhood, that wasn't even my pet, or even a pet at all really, but something embedded in my memory forever. NO ONE but me could possibly ever know the answer but me.