Sign In
Register
Help
Post your comments for Other Webmail Services Share Password Reset Flaw here
Page 1 of 1
Other Webmail Services Share Password Reset Flaw
MultiQuote
#2
MtnTrekkr 
- Newbie
-
- Group: Members
- Posts: 4
- Joined: 21-September 08
Posted 21 September 2008 - 08:47 AM
I'm unsure about Microsoft's mail system, but Google doesn't seem to allow proxies to be used.
For anyone doing account maintenance on any type of account, blocking proxies should be a top priority.
I haven't tested Google or Microsoft's challenge questions, but the "what you know" aspect of the authentication process needs to be something uniquely known only to the individual.
People should be allowed to choose from tougher questions.
One of the bank's where I recently installed a strong multi-factor authentication system chose questions so tough that often I can't remember the answer to my own questions and must call the bank.
If Yahoo (or any account providers) offers mail and payment systems, they should be using the same type of multi-factor authentication processes that the financial institutions are regulated to utilize.
The rise in cyber crime has been so immense, that every company needs to start taking breaches far more seriously than they do.
Yahoo's official response suggested that they were unaware of what the problem was. The VP of mail advised everyone to use longer passwords. Talk about being clueless.
For anyone doing account maintenance on any type of account, blocking proxies should be a top priority.
I haven't tested Google or Microsoft's challenge questions, but the "what you know" aspect of the authentication process needs to be something uniquely known only to the individual.
People should be allowed to choose from tougher questions.
One of the bank's where I recently installed a strong multi-factor authentication system chose questions so tough that often I can't remember the answer to my own questions and must call the bank.
If Yahoo (or any account providers) offers mail and payment systems, they should be using the same type of multi-factor authentication processes that the financial institutions are regulated to utilize.
The rise in cyber crime has been so immense, that every company needs to start taking breaches far more seriously than they do.
Yahoo's official response suggested that they were unaware of what the problem was. The VP of mail advised everyone to use longer passwords. Talk about being clueless.
#3
tadams
- Newbie
-
- Group: Members
- Posts: 2
- Joined: 21-September 08
Posted 21 September 2008 - 02:59 PM
I would disagree that all of the free mail systems are equally as lax as Yahoo.
I use Gmail and knew that they don't allow proxies in what they say is an effort to eliminate spammers.
I ran some tests with Gmail, MSN Live, and Yahoo mail and found the following results;
Gmail doesn't allow proxies while both Microsoft Live and Yahoo do allow proxies to be used during account creation and maintenance.
As to the strength of the security questions, Gmail has stronger questions and allows users to create their own, if they don't like the choices. Gmail's questions range from frequent flier number, library card number, and write your own.
MSN lives questions were weaker and included mother's birthplace, childhood friend, name of 1st pet, grandfather occupation. A bit weaker than Gmail's but still stronger than Yahoo's.
Yahoo questions includced where did you meet spouse, name of 1st school, childhood hero, favorite pastime, favorite sports team, H.S. mascot, make of 1st car, pets name. All were questions that for a public person could be available through social engineering.
I tried the password reset features and Yahoo's was the weakest. I didn't even need to know the zip code or anything other than the id and could guess at the question (which I did).
Author should try out each one and maybe do an addendum to this article. It's misleading when one mail service provides tighter security than the other two.
My advice - use Gmail, if you want to use free mail.
I use Gmail and knew that they don't allow proxies in what they say is an effort to eliminate spammers.
I ran some tests with Gmail, MSN Live, and Yahoo mail and found the following results;
Gmail doesn't allow proxies while both Microsoft Live and Yahoo do allow proxies to be used during account creation and maintenance.
As to the strength of the security questions, Gmail has stronger questions and allows users to create their own, if they don't like the choices. Gmail's questions range from frequent flier number, library card number, and write your own.
MSN lives questions were weaker and included mother's birthplace, childhood friend, name of 1st pet, grandfather occupation. A bit weaker than Gmail's but still stronger than Yahoo's.
Yahoo questions includced where did you meet spouse, name of 1st school, childhood hero, favorite pastime, favorite sports team, H.S. mascot, make of 1st car, pets name. All were questions that for a public person could be available through social engineering.
I tried the password reset features and Yahoo's was the weakest. I didn't even need to know the zip code or anything other than the id and could guess at the question (which I did).
Author should try out each one and maybe do an addendum to this article. It's misleading when one mail service provides tighter security than the other two.
My advice - use Gmail, if you want to use free mail.
Page 1 of 1
