I have just read the article on the Twitter employee account that has been hacked recently. According to the comments by the hacker in a forum he has only used social engineering to be able to answer the security question(s) on the Yahoo mail account that person has been using.
This article is not about blaming especially Yahoo because this is a common problem with most websites that are providing security questions to retrieve a lost or create a new password so it applies to other websites as well. I’m just using Yahoo as an example because the hacker (I wouldn’t even call him a hacker) gained access to a Yahoo account.
Yahoo currently allows the new user to choose between the following questions on the signup page:
What is your fathers middle name?
What was the name of your first school?
Who was your childhood hero?
What is your favorite pastime?
What is your all-time favorite sports team?
What was your high school mascot?
What make was your first car or bike?
Where did you first meet your spouse?
What is your pets name?
There are actually two security questions in another form if you’re using that one when signing up.
Do you think it is safe to use these questions? If you’ve just got to know someone online in a chat or through a social network would you be suspicious if you’d be asked about your favorite pastime? I bet you wouldn’t. And I think you wouldn’t even remember that you used that answer for a security question for an account you have set up some years ago.
The main problem I see here is that if you have not given an alternative email address on signup you will immediately gain access to the user account and can begin reading and writing emails from that account (or whatever service is using that kind of ‘protection’).
In fact I have always refrained from using security questions at all on my websites. Of course providing this kind of “online account rescue service” surely saves you from many support requests. And I also understand that the larger the company the more password requests you’ll be getting which may put an immense strain on your support. But is this really a safe and secure method for re-gaining access to accounts? In my opinion it is not unless it is coupled with other features like cellphone verification via SMS or similar methods. If the user has provided an alternative email account most services will send the password reset information to that address so that in my opinion is rather safe.
For most websites however I still wouldn’t use security questions at all.