About the problem in almost every implementation of forgotten password recovery

I recently read that Sarah Palin’s account on Yahoo! Mail was hacked (note: you can read more about this here ). This hacking is of interest, if only because the intruder did not guess her password and did not look for a vulnerability in the Yahoo! Instead, he took advantage of the ability to recover a forgotten password and search engine. The Threat Level blog post in Palin E-Mail Hacker Says It Was Easy posted a letter from a hacker, which we give below

rubico 09/17/08 (Wed) 12:57:22 No.85782652

Hi, / b / as probably many of you have already heard, last night Sarah Palin's box on yahoo was “hacked” and screenshots were uploaded to / b /. I am the same person who hacked and want to talk about it.

One of the past days in the news mentioned that Sarah Palin uses e-mail on yahoo. As it was told in the news, hundreds of newbies tried to crack her drawer; rather, because of these inept attempts, the forgotten password has been blocked for the next 2 hours.
')
After re-enabling this feature, it actually took me 45 minutes of reading Wikipedia and Google to get the necessary information. Birthday? 15 seconds on Wikipedia! Index? Well, she seems to come from a place called Wasilla. It uses only 2 indexes (thanks to the online postal service!).

The second question was a bit more complicated: “Where did you meet your spouse?”. I did some research and obviously she met Mr. Palin after college. If you look closely at the screenshots that I made and which were posted by caring anonymous on photobucket, you will see that the search window is open in Google using the words “palin eloped” or something like that.

A little later, after some reflection and search, I came to the conclusion that they met in high school. I tried several options like high, high school and finally introduced Wasilla high; after that I changed my password to popcorn and took a cold shower.

The fundamental security hole in the vast number of realizations of forgotten password recovery lies in the fact that they consider “secret” information that is not due to social networks, blogs, and even Wikipedia. Password Recovery Service on Yahoo! Mail expects answers to questions about the date of birth, the index and country of residence sufficient to prove that you are you. Considering that this information is usually presented on an average MySpace page or Facebook profile, it becomes ridiculous that this is all that stops someone from stealing your network “me”.

Even sites that try to be more secure with more personal questions like “What was your pet’s name as a child?” Or “Where did you meet your spouse?” Will not be saved, because people often write about their dogs or cats and tell stories about how they met with their spouse at wedding sites throughout the network.

It's time for web developers to start thinking about why to stop doing password recovery based on answers to personal questions. I wonder how much more loud hacking it will take before people start hating sending a forgotten password to email (you know why this is bad, right?).