More thoughts on challenge questions
More thoughts on challenge questions: Lest I be accused of Google-bashing (as a couple of correspondents have lightly inferred), so far I think GMail is the tits. As I've discovered (and as Matt Haughey points out), the ability to compromise a webmail account by answering another person's "challenge question" is not unique to GMail. Yahoo! Mail and Microsoft's Hotmail seem to have similar problems.The basic problem is that we, the fallible humans, when given a chance to secure the account, pick poor challenge questions, queries that are easily researched by uncovering information we've made available about ourselves. My mother's maiden name is out there on the web, tied to my own name, and vulnerable to a simple Google search. So is a lot of personal information about me, much of it published right here — and freely so — on this very website. So I've chosen a challenge question for GMail that's unlikely to be answerable by anyone but me: the full name of my first love. Considering even he didn't know he was my first love (I never 'fessed up) and I've never spilled the beans to anyone (when describing my romantic past, I start with my second love), this is extremely uncommon knowledge.
So really, it's incumbent on us when securing our accounts — webmail, banking, website FTP or what have you — to think creatively about crafting the questions, passwords or other security measures we use. (Dan Budiac has been thinking about this too.)
Even assuming we all pick inscrutable, arcane questions as our first line of defense, consider that the task of making forgotten or misplaced passwords easily recoverable for the user isn't an easy one, for Google or anyone. For a lot of folks, once it becomes widely available, GMail will become a lot of people's primary or only e-mail account. They can't rely on the notion that many or most users will have a secondary account to which they can send a new password.
What are the options? At the university where I teach, if you forget your password, you have to request a new one in person at the Registrar's office and provide a lot of ID or you request one on the web and it's sent by postal mail to your home address. I'd have to jump through similar hoops with my bank (which will take a phone request, but still mails the new password) and charge card companies. I doubt Google, large and powerful though they may become, is prepared to run a tech support phone line for people to recover their passwords for a free web service.
I don't know what all the answers are and, aside from suggesting we choose unanswerable-but-by-us challenge questions, I'm fresh out of ideas. Maybe it's multiple tiers of challenge questions, maybe it's something with cookies and smart cards. Maybe it's something else.
What I do know is it's a toughie and I'm glad I'm just a user who can prod more savvy minds than mine to consider it.
Comments:
Next entry: A few links
Previous entry: Browser Window Lock
Must See HTTP:// Only
Add Must See HTTP:// to Technorati Favorites
Brad L. Graham is a writer, editor, riverboat gambler, fashion consultant, softshoe dancer, professional assassin, freelance factotum and singer of sentimental ballads.The BradLands is his home on the web. 
Find Brad elsewhere on the web.