I was recently importing some legacy mail accounts of mine out of their silos on assorted free webmail sites.
In fact, I was stunned to find that some of my Hotmail addresses still had email in them and figured that it was probably worth keeping, if only for the amusement value of “this is what a phishing attack looked like in 2007” or “this is what microsoft couldn’t work out was spam in 2005”.
Anyway, I had trouble getting into one of the accounts so I went through the password reset functionality. My security question was:
Food you’ve always liked: _______
To my surprise, I got it right first try.
I asked my flatmate if he knew the answer to this question and he got it right on first attempt too.
The answer was:
pizza
Original right?
13 year old me just got a slap across both wrists. Just think, someone could have had access to a inbox of spam and a MSN account of people I don’t like. The horrors!
This does highlight an important point though, if there’s a password reset functionality on an account, it’s just as important to audit that for weak answers as it is to audit passwords themselves.
Footnote:
Another account of mine had this gem:
Q: do i need a Security Question?
A: no i can guess my password
