A lot of web sites these days have a question & answer system as a backup to your password. The idea is that if you forget your password you’ll be prompted to answer a private question. Assuming you’re the only one who knows the answer to this private question it’ll give you a password to log into the website.
It’s really a second password in case you forget the main password. And it’s not very secure. Let’s look at why.
Your web site password could be anything. If you use a common word then there’s approx 1 in 100,000 chance of someone guessing it (this is actually pretty poor). If you make up a password that couldn’t possibly exist in the dictionary, e.g. by adding a random number at the end, misspelling words, etc, then the chances of guessing the password are much lower, one in millions or billions. This is good.
Now if you have to provide the name of your pet, school, or mother’s name as a password, the choices are very limited. There aren’t billions of popular pet names, there’s only a handful.
For someone to guess the answer to this question is much easier than guessing a real password. And if someone was to do a little research on you it could be possible to find this out.
My suggestion is that you don’t use these password recovery options. When signing up to a service and you’re prompted to enter some personal details, enter random characters instead. Go crazy bashing keys on the keyboard, use something like iojxcnmvaioasflseqq. The idea is that no one could possibly guess the answer, including yourself. Then write down your real password and keep it safe.
I’d also like to add a bit about someone that recently had her private question (backup password) guessed by a random stranger.
Her name is Sarah Palin. Someone wanted to read Sarah’s Yahoo email and instead of trying to guess a password they just tried guessing a private question, and got in. This was recently publicised. It isn’t really hacking, someone just did some research and guessed correctly.
The results were disastrous – Sarah Palin is a US governor hoping to be a vice president, and there were sensitive documents in her emails that were then leaked to the internet.
There’s a lesson here for everyone, including web site developers. Don’t use these private password questions, it’s the weakest link into web services.