Cryptosmith

It’s no surprise that someone managed to reset Sarah Palin’s password on a freebie e-mail account.  She’s a public figure and the answers to her so-called “security questions” are on the public record. It’s one thing to do personal and political e-mail on a Yahoo account but it’s DUMB to use such an account for government business when you have your very own support staff to keep that e-mail secure.

Large scale vendors like Yahoo and Google can’t help but do a bad job at authentication. This is why OpenID poses such promise - it lets us choose our authentication provider. Yes, some people will choose bad vendors. Careful people, however, get to choose safe ones. Continue Reading »

Posted under Information Security | No Comments »

It used to be that the default password was your mother’s maiden name, your SSN, your birthdate, or something like that. Now you have to pick a password, and your ‘password recovery’ questions are based on those old stand-by questions. So you can still break in to a person’s accounts by answering those classic questions.

There have been some interesting recent reports about the use of personal questions for password resetting, and Bob Sullivan has summarized them in a recent posting.

This problem will only disappear over time, as people learn how NOT to lose security credentials. Continue Reading »

Posted under Information Security | No Comments »