With the recent announcements of
password breaches at LinkedIn, and warnings from Google about
state-sponsored attacks on Gmail accounts, it seems like a good idea now to review some
password security basics. In this blog post, we’re going to take a look at a rather low-tech solution to a decidedly high-tech problem: How to guard against password reset attacks, and where to securely store the answers to your password reset questions.
Even if you use highly secure
passwords, it is possible someone might still be able to compromise your account if they were able to gather enough information about you to know—or at least guess—the answers to your password reset questions. Many services use the same questions,
e.g., your mother's maiden name, the name of the town you were born in, the name of first pet and so forth. Because similar questions are used over and over again to reset passwords, it can be fairly easy, even somewhat boring, for an attacker who gathers this type of information to use it to gain access to all sorts of accounts one might have, across services ranging from those which are purely social to financial institutions, or even identity theft.
