Conceived on Apr 29, 2013
In the past few months, we’ve seen a series of high-profile account breaches that gave control of users’ accounts to malicious thieves. I’m sure many will remember the Matt Honan hack, where an attacker was able to gain access to the journalist’s accounts and wipe his devices by fooling Apple support into resetting his password for them.
More recently, Skype proved to be vulnerable to the same attack, which is really bad news for password resets in general, because there’s really no good way for someone to guard against this. If you haven’t specified an email address (or if you forgot the password for your email address), how can a provider authenticate you? They will have to use security questions, or information about your account, or other ways of doing it.
Security questions are usually very low entropy, much lower than the actual password, and thus they should probably be discouraged. Unfortunately, many services (including banks) use them.