Hello, I’ve read your comments on recovering passwords or accounts like on Yahoo. I started investigating this when I suddenly found my own password was not working and the secret question had been changed by whoever hijacked the account. Do you have any advice for me aside from creating a new ID? I hate to say it but I’m considering trying to hijack it back.
I understand what you’re talking about and know that if you have the bad luck to have an easily guessed password and someone backs into your account, you definitely have a problem.
Indeed, while I also have a Yahoo account, I spend much more time using Gmail as it’s one of my main web-based email system.
What’s amazing is that once every few weeks I get a “how to reset your password” message, suggesting that I’ve tried to log in and clicked the ‘forgot my password’ link, but, of course, I haven’t. It’s someone else messing around trying to sneak into my account.
But the flip side of this is one that I’ve written about before too: how do I know if you’re really who you say you are and how would Yahoo, more importantly, know that you’re who say you are? (see Recover my Yahoo account password?) After all, one of the most effective methods of breaking security is through social engineering, pretending you’re someone other than who you are.
I wonder if it isn’t just a fundamental problem with web-based systems that can’t use anything smart like biometrics for identity verification?
I have a biometric fingerprint scanner on the Lenovo IBM X41 Tablet PC I’ve been evaluating over on my Intuitive Life Blog, but that still doesn’t address how I can verify my identity with a remote system.
Think about it: even if the fingerprint scanner sent the scan data to a remote server, there’s nothing to stop that data being intercepted and then duplicated, emulating the live scan of my finger when in fact it’s someone masquerading as me.
A difficult problem, unquestionably, and until we do have some good solutions in this area, I can only strongly encourage everyone to have the toughest, best possible passwords possible.