Motley fool wrote an article blaming Yahoo! for the Palin Hack. Computerworld has pointed out Gmail, Yahoo, and Hotmail as being vulnerable as well. To be clear any site supporting answering of common questions as a way to restore account access is vulnerable. The issue is not that these sites are vulnerable and others aren’t, just the concept of solely asking for a persons maiden name, zip code, hometown, etc is the problem.
A better solution would be to require that people make up their own question with their own answer and not to allow them to use dictionary words/zip codes/common variants/etc as the answer, or to require a backup vector (backup email address or an SMS message to their cell) to obtain a short lived one time recovery token. Even these aren’t the best solutions but certainly a step up.
Anyone else have a suggestion for a better fix? If so please post a comment.
