Beware of password retrieval risks

The personal Yahoo e-mail account of Republican vice-presidential nominee Sarah Palin was compromised when a hacker performed some basic online research augmented by educated guessing to fool Yahoo's "forgot-my-password" system into letting him change the password on Palin's account.

Most password help utilities rely on the concept of "shared secrets" to authenticate the account holder - except that the shared information isn't really a secret these days. In the age of Google, blogs and online public records, very little demographic or historical information about a person is really secret. Birthday, birth place, hometown, mother's maiden name, high school, colleges attended, pet's name...For most people, especially famous ones, this kind of information can be found with a minimum of online sleuthing.

Phishing can be used to determine shared secrets as well. If a system relies a limited set of shared secrets, phishers can create their attacks to get the necessary secrets from their victims. For example, Bank of America's Site Key system has been repeatedly attacked in this manner.