When password security questions aren't secure
When you select a password, you might choose to store it in a password manager, write it down, or commit it to memory (see “How to remember passwords” for some advice). Sometimes, however, things go wrong: You find yourself without access to your password manager, you lose the paper on which you recorded your passwords, or you forget a password you thought you memorized. Or maybe someone tries to break into one of your accounts, and after a few unsuccessful attempts at entering your password, the site locks out further access until you can confirm your identity.
In all those cases, online services need a secondary way of granting you access to your account or your data when you don’t have (or can’t use) your password. Sometimes—especially in lower-security situations such as access to an online publication or discussion forum—the provider lets you click a link that results in your existing password, a new password, or password-reset instructions being sent to the email address you have on file. When those simple mechanisms are considered too insecure, the site may ask you to respond to verification questions for which you’ve previously provided the answers.
Unfortunately, password-reset messages and verification questions come with their own problems and risks. You can reduce your chances of being hacked—or being unable to respond correctly to one of these questions—by following a few simple tips.
Prevent password-reset mischief
Of all your passwords, the one for your email account may be the most valuable. That’s because whoever has access to your email account will be able to read and click links in any password-reset messages you receive (such as when you click an 'I Forgot My Password' link). A hacker who guessed or stole just that one password could unlock many other accounts and do all sorts of damage. You can limit your risk here in a couple of ways.
To read this article in full or to leave a comment, please click here
http://www.macworld.com/article/2016925/when-password-security-questions-arent-secure.html
