haha--i remember this being a problem with hotmail waaay back when it first appeared (and i'll admit that i've tried it, and it does work). it's a classic social engineering hack, which usually requires no engineering per se... this would be the problem with google offering encryption on the email store.. what happens when you lose your key? if key retrieval is that easy, whoever wants your key can get it in a snap.
Posted by: Jeff at Abril 26, 2004 01:16 AM

I don't understand the reasoning for these "security questions". The point of a password is that it is unguessable. Adding a "security question" that reveals the password defeats the whole idea behind having a password. Having the security question change the password in any way could lead to denial of service.

I think the best scheme for most sites is to just have a button that will (1) email a user's password to that user's secondary email address or , better, (2) email them a special URL, good for a limited time, that will allow them to change their password.

What, really, is the purpose of a security question? I'm sure that a quick Google search would quickly reveal the answer to any of the suggested questions in my case.

Posted by: Tobin Fricke at Mayo 10, 2004 02:50 PM

Name:


Email Address:


URL:

Remember personal info?
YesNo
Comments: