I think to prevent hackers or anyone else who does try to get into your information you should lie. From personal experience i have forgotten my password a couple of times because i made it super hard to remember. I know some people thinks that is crazy but i think its smart...If i cant guess it them im sure no one else can. Why try to use other peoples stuff when you can just use your own.

I'll do better than that: my password is 15 characters long, uses numbers, symbols, and random capitalization. If someone can hack my password, I'll give them a Klondike Bar.

hello,

this is a good informative article, and contrary to some of the replies; this is not giving "Hackers" any new information/tactics. This is not "News" to anyone in the IT Security or Computer hacking underground scenes. It's just a continuation of the Social Engineering basic tactics which have been practiced for the better part of 2 decades.

It proposes useful practices to users who would normally find themselves victims of social engineering "Hacks" such as these; who've always asked themselves how they got burnt. Now they have a good idea.

A good informative article. I promise there are no "hackers" learning new tricks here. They wish you didn't draw attention to this "exploit" instead. You should cover how this applies to Internet Domain Registrar hijacking via this method. Lost Password recovery of admin/tech email is the difference between a hacked/defaced website and a secure domain.

Promise.
-c

In response to Joe Farrell...read the article. Thompson asked for a password reset for his friend's bank account. The bank sent an e-mail with that information to his friend's Web mail account. Thompson then asked for a password reset at the Web mail account, which sent a link to his friend's old college e-mail account. There, Thompson needed only supply the friend’s address, zip code, and birth date. Once successfully in the college account, Thompson hacked his way into the Web mail account – supplying his friend's birthplace and father’s middle name -- and ultimately entered her bank account by supplying her pet’s name.

I have a great ideal. Why not buy or invent a finger print scanner that operates through usb connection but leaves no digital trace through the web? If it were mass produced the price would be affordable and I would think unhackable especially if it was programed for any combination of fingers on your hand.

This has been an amusing thread. I am amazed that people really do answer these inane questions in a straight manner.Folks, no one checks to see if you are answering truthfully so have fun. My security profiles whilst attempting to my accounts secure serve the secondary function of amusing me greatly. Make up a family history, set it up so that your profile looks like you are the unholy by product of a mating between human & dolphin (Micheal Phelps). Maybe your favorite pet was Boris the Hedgehog, or mother's maiden name was Flipper, who is going to check? Have fun with it. I find the sillier my profile the easier it is to remember. Crackers don't like quirky as it makes their lives a little more difficult. This method won't guarantee that you won't get hacked but like a car alarm or a locked car won't prevent thefts, it directs the criminals attention to easier targets, like folks that post their entire family trees complete with social security numbers on my space for all the world to see.

I'm curious, how can this be a problem if the password is always emailed to the original listed email address? Is this like making up a problem to solve it? I have not seen a single password utility like this that does anything other than simply email the password to the original address listed in the records. Seems like a mountain out a molehill if you ask me . . .

I have a list of 26 movie stars, one for each letter of the alphabet. Old obscure ones, you know, real 'has beens' from the seventies.

For each, I have answers they would give!

Now for eBay its Erik Estrada (for instance) but for PayPal its Pamela Lee. Get the idea?

If ever I suspect a bank of information is compromised, I switch it to a new has-been... the world is full of them.

Another nonexistent problem for people to worry about

I love how people think this article is teaching hackers in a "how to" like manner.

Hackers already get it. They figure out stuff like this well before you do. Hence reporters, like Bob, alerting you, the gullible lemmings, to the situation.

Please, everybody: stop being stupid.

Keys are just to keep honest people out, I don't lock locks, don't want them to break a window. I think all this security is bunk, I wish I didn't have to have a "password" it takes too long to open my computer. So I use the same one for everything. BUT, I don't do "Online banking" I use the banks ATM.

People, the hackers already know this information. They just don't exploit it because it's not really worth it on an individual basis. The information provided is for the eternally naive public.

This is old hat. Several years ago, a friend busted his kid downloading porn with a stolen credit card by figuring out his secret question and resetting the password. My bank uses a secret image as part of user authentication in addition to the secret question.

Why should the banks or feds change the requirements. We as the consumer must demand improvements. When shopping for a banking or financial institution- ask what the internet banking authentication is. Simple. The FFIEC (the Federal Financial Institution Examination Councel???) requested/required all financial institutions to improve authentication requirements. Layer security was one of the options. Layered security= challenge questions. Many institutions went with the least costly method/vendor therefore you see the same questions over and over. It is the minimum. As a consumer demand more!!! or go else where. Biometrics or true multi-layer security is even more costly and not always easy for a consumer. The secure tokens referred to earlier in the posts- well if you have mulitple accounts you need mulitple tokens. And if you want to check information at home and work you need to carry them with you. How do you know which is which without marking them. now if you lose it, it is much easier for whoever finds them to hack into your account they have the second layer so all they need to do is hack your username... not hard.

You folks who blame the media for reporting this story as giving "information" to hackers should go to Iran, Russia, etc. There you can have censored media and only the government will have the information. Grow up and fight for freedom and liberty NOT censorship and safety. As the saying goes, "He who gives up freedom for safety deserves neither." Ben Franklin, Thomas Jefferson...

For the woman concerned w/her husband not knowing the passwords. I was in the same situation -- when having surgery I printed my list of passwords from my password protected file and sealed it in an envelope to open in case something happened. Put the envelope in the safety deposit box. After surgery and all was well -- I decided to leave it there -- afterall -- I could get hit by a bus.

I like this: The first letters of a song. WWYAMC= We wish you a merry christmas. OJJWAMWTFN= Old John Joseph was a man with two first names (Harry Chapin, BTW). Very simple, easy to remember, just hum along. Thanks to the Techno Buddy in the AJC.

To all those people who complain that this is going to give hackers ideas... too late. Any good hacker thought of this a while back. In addition... if the author knew this was a vaulnerability, would you rather he keep his mouth shut and not warn people and let them get hacked, or spread the word to make people (and banks) think twice?

one thing to add also be careful with websites used for family trees or to track you lineage.

I think if you are going to use a common password like your dog's name of mother's maiden name, you deserve what you get. I use a password that is 9 letters, numbers, and characters in a random sequence that I have memorized. there is no way anyone could guess mine.

Hackers don't really have to have any of this information to retrieve a password. Even if you use some random combo of letters and numbers as your security question, something no one would ever figure out, a password can still be hacked. There are fairly simple programs designed to retrieve passwords as soon as a user logs in. Of course, you have to install the program on the computer where the person logs in, but if you think about it, that might not be too hard either. Most people log into personal accounts from work (because, really, who works a full 8 hours a day at the office) and so if that program is installed on a work computer, a hacker can retrieve personal passwords and the sites where you're using them. Some of the programs can even tell you where the person is logging in from and give you a back log of information concerning the site.

So, really, even if we solve this security question dilemma, the more technology advances the less personal security questions will be the real issue.

There are, however, programs that you can download to hinder the hacker programs that retrieve passwords. They create a block to stop people from being able to view information retrieved. A lot of people don't have them installed though...they do cost some money, but it's well worth it.

The problem is that we are confusing "defense in depth," which is a good thing, with "security by obscurity," which any decent IT security guru will tell you is no security at all..

hmmm... a phone call. that kind of kicks me back into my 20th century stubborn mode, where i do NOT use voicemail, just call back another time.

i love passwords, btw. back in the 80s when i started creating myself online, i realized that it would mushroom, i would exist all over creation by different names and codes, and THEN i would likely lose my memory.

rule 1. a name. all over the net i am known by one name, even very personal 15-year relationships online. i am publicly visible, people recognize me in the world by my picture, but never call out my real name.

rule 2. only one permanent business email address, and many addresses on other servers. when i apply for something or register on a frivolous site, i give my "game account" addy, or my "shopping" addy. then i can totally never check those emails, they are ALL trash.

rule 3. only the bank knows my street address. lots of other sites have the local jail house address now, though.

rule 4. ditto my telephone number.

(most sites "mine" addresses and phone numbers, and will not let you pass GO until they have those saleable items)

rule 5. passwords that only mean something to me. nonsense words. passwords that derive from the main password. some passwords will accept "space bar" spaces, which are harder to guess, detect and hack.

rule 6. paypal!! the fewer places my bank card is known, the better.

rule 7. when a site sets off more than one alarm (must have an e check instead of paypal, must confirm email address, almost needs a top secret security clearance,) just back out.

i often find that i get junk from sites where i never completed an invasive registration; they mine information while links are open or something. ewwww

rule 8. question everything: they have no control, i do. they do not have my best interests in mind, i do. they are not online giving away anything. they never ask for something unless it will profit them.

For 10 years I used the same password at work with no problem, because the password was only in my head. Now work requires me to change 4-5 passwords each month and I have to write them all down because they all have different requirements. A hacker cannot get into my head yet. If he could, he was pass me over for a more profitable head.

My biggest problem remembering passwords is that every place has different password rules: some demand strong passwords, some limit The # of letters or #s some restrict punctuation marks, or capitol letters etc. This forces me to write them down and where they are used: (a big security risk)

The person that wants to hold the bank's liable for this? We already ARE liable for the data that customers give up about themselves. First our regulators REQUIRE a multi-factor authentication techique for all online banking channels. So now we have to decide what kind of "user friendly" solution to put in place that still create better security. We choose the option to do secret answers and questions and then our customers go posting all that data about themselves all over the web. I think consumers should be liable for creating weak links to their data- or banks should make those questions/answers less obvious. Or here's a novel idea- how about we hold the hackers liable...you know...the one's STEALING the information from you and then your money? The bank is providing you an online service to your account. You are providing the thief the keys to your money.
Do you realize that everytime a merchant (this would be a store you are shopping at) gets hacked into and your debit/credit card gets stolen who ends up giving you the money back? NOT THE MERCHANT. Your bank foots that bill. Then we have to spend the money to sue the merchant for not maintaining PCI compliance. This is not always the "banks" fault.

there are plenty of easy ways to protect yourself.
you can simply spell the answers backword.
if your mothers maiden name is Smith
answer the question Htims
or drop the vowels, so in the Smith example, you would type in Smth
another one is to switch answers, if your mothers maiden name is Smith, and you were born in the city of Toledo, use Toledo for maiden name and smith for the city you were born in.

bottom line is it's easy to take precautions, and once you start using this regularly it's a cinch to remember and nearly impossible for anyone else to predict...

When my Yahoo email password stopped working they made me jump through so many hoops I was giving up that I would ever get a new password. My bank account password is a random password that I have to write down and keep in a safe. It is changed frequently so I don't think they will get that one. The other passwords I don't care about. What do I care if someone gets into my Yahoo account? But don't tell them that or they will make you jump through even more hoops.

Well... there is no reason you can't answer what you want to these questions... as long as you remember what you put... though if you can't remember your password, how will you remember that? :P lol and as for pet names.... in my 48 years on this planet I have had more pets than you could ever find the names of... I usually put my favorite pet... which is not necessarily the one I have now...

My wife's ex managed to hack into her yahoo email account by answering the challenge question. My wife kept having to reset her password due to unknown reasons. Finally figured out that it must be her ex answering the challenge question and changing the password. Ever since she changed the challenge question to something her ex could not possibly know it hasn't been a problem. The bummer part is we won a child custody case and he got to see all of the emails between my wife and our lawyer. Our bad for not thinking of that with the yahoo account, yahoo's bad for making it so easy to hack.

This isn't new, people have been using the technique for years. It's not the process that's broken, it's people that use an "easy" answer for all sites. Even if you use a hard one if somebody gets it they'll try it on all other accounts of yours, and it normally works. If you can't keep track your passwords use a program like keepass to store them for you, they're encrypted and you only need to remember 1 password. If you don't want information being accessible don't put it ANYWHERE public. Once you have it's wide open.

I've always despised the miscegenistic "Mother's Maiden Name" question, to which was replied "SheNeverWasAMaiden".

There are reasons that people use public forums to express themselves. In this age, it is so common and is a way to connect with people you know, and people you don’t. I work a lot and don’t go to bars so meeting people online is a good avenue; at least for me. I don’t put out information associated with my passwords like pets and family. I have met some genuinely nice people, although it doesn’t happen a lot. Some I have known now for years and consider good friends; one I dated for a year. This article has made me think twice about what I have put online, but I don’t think I have given hackers anything to use. And to user Doug, Google keeps all information you ever type forever on or through their site; that’s why your info came up. Yahoo only keeps such for 6 months and then dumps it. When it comes to important info, maybe we should go back to the telephone and writing checks.

Yet another reason I don't use social networking sites...

The more you comment about this the more information you give to hackers.

I use obscure old girlfriend's names. I know I'd never put this online anywhere lest my wife beat me, so it's a secure method.

What do you mean you can't change your biometrics?? You have 2 sets of hand fingerprints, or 10 individual fingerprints. So your thumb gets hacked, use your index or pinky, and learn from your mistakes. If you can't stop following that email link stating "Oops, Britney Did It Again!," you deserve to have your life phished and hacked away.

I agree with Dave K from Seattle. Put your life on Facebook for Myspace and you get what you ask for.

Here's a Google Tech Talk on the topic of password reset: http://www.itworld.com/security/54290/google-tech-talk-password-reset

I use a program called "Keepass" (that is the correct spelling) to track my user/passwords. Any 'secret questions' for accounts I store within this utility as well.

I had a good friend in grade school who died. I knew her very well. So I use her info. I knew her mother's maiden name, I know her pet, birthday, favorite movie, all of it. Given that she died over 40 years ago, it is rather unlikely that information is all out there for anyone to find, let alone link to me.

Thanks for giving crackers a new way to compromise peoples accounts. News Media does it again.

The underlying problem is that banks and credit card companies are not being held financially liable for the identity theft problems they are creating. There simply is no financial incentive for them to fix this.
Corporations solved these problems long ago with security tokens which generate a random number every 60 seconds that are part of your password, while a similar device on the server side ALSO generates a the same number, unique to you, and expects it as part of the password.
If you lose the token, the hacker still has only half of your password.
This is an incredibly effective, unbeatable solution, but it requires the banks and credit card companies to buy the technology, which comes out of their already-obsecen profits.

Solution? Make banks and credit card companies financially liable for all damage related to identity theft, and pay each victim 5000$ for the inconvenience the bank caused them.

The problem would be solved overnight.

What I like is when you can create your own security questions and answer them. I ask questions about people know, like "Mr. Brown's first name." Uh, which Mr. Brown is that? I know, but a hacker would be guessing for a while.

I agree about not having a blog,a myspace page, or generally letting it all hang out in cyberspace. I have no burning need to have my life on display--privacy is important to me. If you google me, you will see professional information, but that's it.

Here's an idea - "Don't put personal information about yourself on the Internet". Would you post all of your family pictures and personal preferences on a bulletin board at the grocery store for all to see? Yet we do it on the Internet. I do not use Facebook or other social networking sites as I prefer to keep what is mine private.

Never make all your passwords the same for every site you vist. The copanies where you do financial business should always have stong passwords...alpha and numberic combinations with at least one capital and a special character...if the system will except it.
Never answer questions live Mothers maiden name ...First Car...Where you were born with real data. have a dummy data file with made up info in it that you can easily access and use for this purpose.
Do you trust the website you are dealling with? Not only can criminals get bits of information to make educated guesses on your account, but you have to concider the security of the company that you are dealing with. are they apt to be hacked? Are they a small company? Have they been hacked before?
You might not want to keep confidencial information logged with some of these websites, as they can be easily hacked.

If companies were to employ true two factor out of band authentication you would not see this.

IM SURE ALOT OF GOOD HACKERS KNOW THINGS LIKE THAT BUT I LIKE HOW EXPAINED IT IS IN DETAIL SO ALL THE ONES WHO DONT KNOW DO NOW

I would recommend people use challenge/response phrase system instead of user password. For example:

User/Id/Key: Where do the guys hang out on Friday?
Password/Value: At the social spot on 111th and Western.

As you saw, the key/value is quite long and unique and do not comprise critical information.

Interesting, use a complex set of words and mixed like your birthday(with #)yor first letter name and then mix both like 34j05t78 thats a strong password i strongly recommended

I think that the biggest problem is instructing people not to write this information down. If this is your home computer write it all down and keep it in a safe place. Passwords, security questions and answers etc.. The only way you are going to have an issue is if someone breaks into your home which makes this information the least of your issues. As for work, the administrator used to get all usernames and passwords because it is not your personal data, and they would keep this information locked up so it was there when needed.
You should be required to get a license to use the internet. Some people just don't have a clue even setting up a good username and password. A friend of mine has a son, 17 years old, that set up an account on AOL. His username was Rolling Rock and he made his password Latrobe. His account was hacked within hours. Might as well have a user name The Grass and the password Green.

People need to get a little enlightened. First, hackers already know this stuff, so the media didn't enlighten them.

Second, get a program like KeePass (Google it, it's 100% free!) and a keychain USB device. Store ALL your passwords on it with one, complex, lengthy, yet easy to remember password. Then, for the sites you visit, the program will create random characters of any combination and length for you. It's like an address book for your passwords.

Now, for people who think a long, complex password is too difficult to remember, think about this:

Your wedding song might be "You light up my life" and your spouses birthday is 10/01/71 and your dog's name might be Sport. So, combine them all and wind up with:

Uluml!71Sp0rt

So, it's now, "Yo[U] [l]ight [u]p [m]y [l]ife[!] 10/01/[71] [Sp0rt]". I added an exclamation point after the song, to add to it's complexity and that's a zero in Sport, by the way. Now, this is the only password you would need to remember in order to gain access to all your other passwords.

If you go this route, make sure you keep a backup of the password list on another computer (or two).

A problem with fake or off the wall answers is it is hard to remember - my sense of humor varies from day to day. Faced with some sites that provided only pretty obvious questions, some time back I started providing the "correct" answer - but encrypted using a single constant string of numbers that I can easily remember (for example 1234512345). If the question is "Mother's Maiden Name?" and the answer is "Jones", my answer would be Kqqix (J+1 = K, o + 2 = q, n + 3 = q, e + 4 = i, s + 5 = x). Letters at the end of the alphabet wrap around to the front, I use typical capitalization, and the number string repeats as necessary. This still leaves the issue of multiple sites asking the same questions, so a rogue or hacked site might yield this information. So added to the answer is the first letter of each part of the web address. www.facebook.com would be "wfc", for instance, so "Jones" becomes "Joneswfc", or "Kqqixxhf"

You have to remember to add numbers and other stuff so a thief will have a harder time breaking into your forgotten password. Encrypt files with at least 448 bit plus Blowfish encrpytion and or 256 bit AES (Advanced Encrytpion Standard). 128 bit RC4 (Release Candidate) 4 can and has been broken via DOD and DHS testing.

I never give real information for ID or security questions. We all know lots of personal info that only we know and that's easy to remember. I still remember my BGF's phone number from the 1960s, back when the exchange included letters! I challenge any hacker to figure that one.

And, what's with mother's maiden name? It's awfully presumptuous to assume that my mother's last name differs from mine.

Don't blog. Don't facebook. Don't myspace. Don't be stupid. Hackers and criminals are just waiting to know you, and they are better than you at using your own information. Many Internet features improve the quality of life and and the availability of information, however, sharing your personal information with the public is a risky as walking alone at night in a rough part of town. You should always remember that everything on the Internet is public, no matter what level of privacy and/or security that you think you have. Some human programmer wrote your security program, and there is another better programmer who can hack into it.
Jack

I have a very simple soultion to this problem. I never give the answer they are asking for. My answer is always for a different question. If they ask for my pet's name I give my favorite food. My mother's maden name, I give the highschool I attended. Hack away.

I like the guys excuse about biometrics. Your mom's maiden name can't be changed. Uhhh yeah it can it is what you type it or what you give when you open the account.

As long as you remember the change who's to know that you lied about it.

I am truly terrified about biometrics because that cannot be changed at all.

A password change is only a phone call or a brief hassle away.

Your fingerprints and irises are here to stay.

If the question is something like your father's middle name, use your grandfather's middle name. Then take out the vowels, and type it twice, example: Instead of Edward, type dwrddwrd. The same with school names or pet names, type them backwards or front half after the back half. There is no law that says you have to answer correctly. I picked a new middle name for my father.

Also, never use the same password for online accounts such as ebay as you do for your bank accounts. They should be very different.

you mean somebody is actually STUPID enough to give REAL information to those "reset" accounts?

Mine is rather terse and something that only I would know. Besides, "social" websites are security risks on their own.

i prefer to stay ANONYMOUS

I don’t normally reply to comment requests, however, I feel that I have a helpful suggestion to this issue. Since I am one of the people who cannot remember how to spell my first grade teacher’s name or if I used a capital or lower case text I started to answer all of these security questions with a secondary password containing letters and numbers. Since I use the same secondary password for all of these security questions, I do not get confused or forget. This secondary password is not connected to any of the standard questions so there is no chance of someone figuring it out.

If it hadn't occurred to the hackers before, after reading your article, I'm pretty sure they got the idea now.

I have one spreadsheet with all login/password/challenge questions on it. That file is stored on my external hard drive, which is only turned on when I'm using it: backing up or retrieving old data, or retrieving the password to the store charge account I only use at Christmas (and therefore always forget...) It doesn't matter what challenge answers I use, as long as the question and answer are transferred to the spreadsheet. My biggest concern is, if I die or am incapacitated, would my husband be able to find it on the external drive?

if you had a password that said "smoke weed til your face fries savage cannibal" then you'd stand a better chance of not ending up on welfare leaching all you can from the government while selling crack and smacking your 3rd wife

Why do you have to answer those security questions with the correct answer?

I've personally been exploiting this for a long time now. In most circles it is known as "social engineering" and it's often quite successful for all of the reasons explored in the article. I never publish real personal info online anywhere (including name, date of birth, address, etc.) and if I have to set up a secret question for an online account I put in random sequences of letters and numbers. If it's something I want to remember in case I really do forget my password then I use a text file. Problem solved.

I was just teaching my son the other day how to create an answer that fits the stupid obvious question in a way he can remember but spoofs the original meaning. Like "what is the name of your first school?" Playschool ( we did one much better than that, it's just the concept )
Until the Feds force all the banks to clear out all the old security questions though consumers are stuck. The unwitting and trusting are the fools of the 21st century.

The question is "What is your mother's maiden name?" but my password reset answer has nothing to do with my mother or her name. Ditto for my high school, etc. I have a set of passwords that don't match the questions in any way. You can always make up a fake, bizarre maiden name, or use an answer like 54 Chevy.

I've always hated the "mother's maiden name" security question, and have often begged banks to change it (they won't). My reason? ... It's my middle name. When I point this out to customer service reps, they have no idea what to do. I know I'm not the only one with this problem, and I applaud services that have thrown out this question... and this problem is exactly the type of thing that made me get rid of AOL years ago - no one bothered to tell me that my security questions were being hacked (they were wretched questions in the first place).

I usually keep a question translation list at my personal computer.
For example, on the list is the question about my mother's maiden name, but I have a translated question written down like 'favorite movie'.

This way I don't have any answers written down anywhere, but potential 'answer hackers' would have to come to my own home to take the next step. Not likely.

I've often thought of this when opening online accounts. My fiance would often tease me for taking so long with the questions, but I continue to take the time in determining questions that the closest people to me would find challenging. If it's challenging to them, then it's challenging to anyone. I'm glad I'm not just neurotic.

The problem isn't so much security as punishment. They need to chop off these guys (hakers) hands. Yes, it sounds barbaric but once a few people see that they may loose more than they were willing to give up they might not want to spend so much energy cracking passwords. The other alternative is to have these comp. sci. nitwits working endlessly trying to plug a dam with a napkin. I'm sure they think the napkin is just fine as long as they keep getting paid.

this is scary

Great article and really scary. I just tried this on my bank and they ask for my mother's maiden name, last four digits of my SSN, and username. They then email me a link which ironically got caught by my email spam filter. What panicked me is that when I did a search for my name and the last four digits of my SSN in Google the combo came up in this gigantic web page that had a big list of names and numbers with no formatting. It was at a .info site. Can anyone tell me what this is?

IMO the biggest problem for users is the myriad of password requirements. Some require no more than 4 characters. Some require at least 8. Some require letters AND numbers. Some require upper and lower case. Even a reasonably complex password would be manageable if you could use it in all instances. I get frustrated trying to keep track of all the passwords I have to create to "fit" the particular requirements for each site.

I've noticed many sites now ask for you to make up your own security questions and answers. Temptation is there to make them easy - don't! As for one's that ask for your pet's name, I've always used a pet that died many years ago, don't think a hacker will find a reference to his name anywhere.

Why do people put so much personal information on their blogs or social network profiles? It's one thing to write about your interests and activities or opinions on issues, what's going on in your life, etc. But why include detailed information about your grandparents? That could put your mom's maiden name out there - a primary security question on most credit applications. Trust me, Grandma would probably much prefer you call or visit her than list her name on an online profile. And if you're past your mid-20s, most people don't care where you went to high school. People who get to know you online or offline, and whom you trust, can ask for this information in the unlikely event that it interests them. Your offline friends already know mundane stuff about your background.

Here's an idea: don't have a blog or an account at any social networking site. It may be so 20th century, but the less of me that's out there, the better.

So if you answer these questions using fake information how do you remember your fake answers? Do you write them down someplace & stick them under your keyboard or in your wallet or purse?

I think one reason this isn't exploited much is that it needs to be targeted at specific individuals. It might be worth it to go after Paris Hilton, but not to get a few thousand (if that) from the average individual. (Note to hackers - my accounts don't have much in them)
Harvesting a lot of passwords using malware is less work for the return.

The best way to deal with such security questions is to set them up with off the wall answers. For example, if the question asks "What time were you born", use "morning" as your answer. "Where did you go to school" would be "In a School house". Or instead of trying to remember how to spell McFadden, simply use the play-ground nick-name for her. Unconventional, or even tongue-in-cheek answers to such questions, will help in making it much more secure.

I'm several months ahead of you. When I rec'd a mailing from my vet, via a major pet med manufacturer, I realized how easy it would be to connect the dots of my personal info. Right there on the outside of the envelope was my pet's name. When I complained to my state's Board of Vet Med, they didn't see it as a problem and said that surely no vet would do that. Yeah, right. Now when I enter a favorite question, I choose birthplace and enter something stupid, never the true POB. With identity theft rising, it's amazing how much personal and financial info we're being forced to give up--by employers, ebay, PayPal, across the board--all in the name of security. Hello??!!

Well, thanks for publicizing this so that now hackers will know to try something you are saying they have not successfully done before. You have given them just the info they need. Sometimes the media creates the problem.

The way to get around this problem is to consistently lie: say your favorite pet is Big Bird, and that your mom's maiden name is Baggins. Just remember your fabrications and keep them consistent, and you'll never have to worry about a data miner guessing the answers.

The link on the MSN page has the headline:Forget Passport a Weak Link" but the story is about passwords. A good story, but it's not about passports!

I guess I'm too old for MySpace and Facebook, but I have been using the internet since its early days. I can't understand why anyone would put their life on the internet for any stranger to see. Most likely its an unbelievably boring life and only interesting to people who are equally boring, and bored to the point they have nothing better to do than read your life's story. Is their a relationship more shallow than a MySpace "friend"? I'd rather we stay strangers.

But as this article shows, along with many other articles about job searches gone bad because of too much information on the internet, there's much more to lose than to gain by putting yourself out there.

The cure for this problem is to lie - give your younger brother's name when asked for your "Favorite Pet," for instance, or tell all the sites your mom's maiden name was Baggins. As long as you keep your deceptions consistent, you shouldn't have any trouble remembering what you made up - and no one's going to guess.

This is why I simply don't use fallback authentication. Period.

Whenever some website asks me for a security question, I type in the longest and most gibberish filled random data allowed. For example:

Name of childhood pet?
I might type something like i38ujg4io38&3u82i2#$tj3ioj38fjf3.

So try guessing that from my personal data. Sure, you can't easily get back your password. But neither can anyone else.

And if you really need to, a phonecall saying you're still locked out works just fine...