From Wired magazine:
...the Palin hack didn't require any real skill. Instead, the hacker simply reset Palin's password using her birthdate, ZIP code and information about where she met her spouse -- the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.
我们不能相信这样的security questions重置忘记的密码。
如何设计更好的系统?
最佳答案
所谓“安全问题”的不安全性早已为人所知。如Bruce Schneier puts it :
The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.
What can one do? My usual technique is to type a completely random answer -- I madly slap at my keyboard for a few seconds -- and then forget about it. This ensures that some attacker can't bypass my password and try to guess the answer to my secret question, but is pretty unpleasant if I forget my password. The one time this happened to me, I had to call the company to get my password and question reset. (Honestly, I don't remember how I authenticated myself to the customer service rep at the other end of the phone line.)
我认为更好的技术是发送一封带有链接的电子邮件,他们可以使用该链接为用户最初用于注册的电子邮件帐户生成新的随 secret 码。如果他们没有请求新密码,他们可以忽略它并继续使用旧密码。正如其他人指出的那样,这不一定对雅虎有帮助,因为他们正在运行电子邮件服务,但对于大多数其他服务来说,电子邮件是一种不错的身份验证措施(实际上,您将身份验证问题强加给了雅虎)用户的电子邮件提供商)。
当然,您可以只使用 OpenID。
关于security - 安全问题有什么好的替代方案?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/104592/