Thursday, March 04, 2010

On the Internet, everybody knows your dog's name

Thank you to my friends at Vodafone in Germany for sending me a pointer to this article in Fortune Magazine. We have been having a lively email exchange regarding our Quest Password Manager product and how it uses questions and answers for password reset. Here’s the piece in the article which sparked the debate:
…the weak link isn't the passwords themselves but those security questions you have to answer in case you forget the passwords. You know the drill. You set up an online checking account and answer questions about your high school mascot, the street you grew up on, and the name of your dog, which supposedly only you can answer. It's all safe as long as crooks don't have the answers, which now - thanks to blogs, Facebook, Twitter, and every other public forum people use to put every last detail of their lives online - they do.
As a test I did a few Google searches on some of the questions that I know are part of my Q&A reset and I did find enough information "out there" that could lead to an easier compromise of my account.

At the RSA Conference there is a company that’s developed a technique to help thwart this using a different technique. RavenWhite was named one of the 10 finalists for the coveted "Most Innovative Company at RSA® Conference 2010” and I can understand why. Check out their stuff here: http://www.i-forgot-my-password.com/

What do you think?

No comments: