Brian Green's experience with not-so-secret questions began when he logged on to his World of Warcraft account in March of this year and found all of his characters in their underwear. Someone had stolen the account and sold off all of his virtual equipment.This article made me burst out laughing but behind the humor of someone have all of their "virtual equipment" being sold off there's a serious point to be made: Secret questions used to secure password-reset functions can be woefully insecure.
In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.If it isn't obvious to all you really must ensure that your secret answers are, in fact, secret and secret means not easily guessed or easily subjected to social engineering attacks. I highly recommend that an out-of-band technique be used to send you your new password. For example, an SMS message with your temporary password to your mobile phone or the use of a one-time password (OTP) as part of your Q&A response profile. Both of these rely on something you know and something you have - much harder for the hacker to defeat.
Don't rely on "shoe size" and "pet's name" or you'll end up being caught in your identity underwear, too.
identity management, passwords, strong authentication