Yahoo Mail Increases Security On Password Resets
Yahoo, and other online companies, have been exposed lately as being a little bit weak in some areas of security in regards to some of their online offerings.
Vice Presidential candidate Sarah Palin had her Yahoo email account "hacked" by a kid who used the Yahoo Mail password reset function to gain access to the email account. He was able to do because all it took to get a password reset was knowing the answers to couple of personal questions.
As a public figure, the answers to Palin’s questions were probably easier to come by than most. Still, it raised the possibility that anyone with a little bit of effort could probably do the same thing to a significant majority of Yahoo account owners.
How long would it take someone to find out where you were born, or where you went to high school? The answer is, not long, especially with so many people willingly posting that same information on sites like Facebook or Twitter.
That is why I have always preferred websites that offer me the chance to make up my own security questions. Someone could be able to find out what my high school mascot was, or what the make and model of the first car I owned was. (Seriously, think about it for a few seconds. Birth year plus 16 or 17 years. Now all you need is an archive of the DMV records from those years. It might even be online as an open records request.)
On the other hand, I doubt anyone would be able to find out what we nicknamed the big piece of cement in the filed behind our house by accessing even the best government databases.
Twitter was similarly hacked by someone who was a bit more clever, but simply preying on a weak spot of security. The hacker re-applied for a Hotmail account and then asked Google Mail for a password reset which was sent to, you guessed it, the Hotmail account.
It’s ironic that these services go through so much trouble to get you to choose a difficult password and then make it so easy to get around the password.
It was these type of high profile events that made me a bit squeamish about what kind of information (like a detailed, dated list of all my time tracking information) I’ve been sending out into "the cloud" under nothing more than the slight security offered by a username and password combination.
Anyway, Yahoo is making at least a little bit of effort in this area. Recently when I tried to logon to my Yahoo Mail account a screen popped up asking me for a cell phone number to use for verification in the event I needed a password reset or have my account unlocked. They also asked for the ubiquitous two security questions.
They didn’t offer me the opportunity to create my own questions, but a look at the list confirms that the days of everyone using the same questions to ask the same publicly available information to get a master key to the security locks on your account are, thankfully, coming to an end.