Thursday, September 25, 2008
ISP's should allow users to specify their own security question (Sarah Palin incident on Yahoo!)
Computer security experts recommend that users with email and any online accounts use more caution with typical security questions. The recent incident where Republican Vice Presidential nominee Sarah Palin’s Yahoo! email account was compromised generates a flaw in the security question system. If the user has posted the answer to the question before somewhere or if it is generally known by others, someone could guess the information and get into the account. Security experts say that ISP’s like Yahoo! and many others should begin allowing users to specify their own security questions.
In the mean time, users should code answers that they do not believe others know (particularly, don’t use an answer that you’ve posted on the web previously). Don’t use the real name of your “Iams” cat; make up one, or, better yet, user letters and numbers in a nonsense combination. That is, make the answers to the security questions like strong passwords. They also say you can link your account to another one where you could have your account information emailed. Many people keep their access information on hard drives on files not made public, but it is conceivable that in some cases this information could be compromised, particularly on a laptop that could be lost physically.
Matthew Sheffield as a detailed Analysis/Opinion pages on the Palin incident (“…how easy it is”) on p A4 in the Nation Section of the Washington Times, Sept. 25, link here.
In the past, it was common for companies, especially in sensitive jobs, to warn employees about keeping their mainframe passwords secret, and in some cases, not to leave themselves signed on when away from their desks.