|
|
|
|
|
|
by dunnevens
1791 days ago
|
|
|
In case of fire, seems like you only need to memorize the passwords for your email accounts. Everything else can be fixed with “reset your password” links. I’ve sometimes wondered if that would be a useful security scheme. Using email as a de facto pw manager. Memorize your email pw. Use the password reset feature on your critical sites. It would be enormously inconvenient. But it would mean your passwords are never written down and never stored in a pw manager’s database. Seems like that would make things more secure, but I’m probably overlooking something. |
|
|
I think some people don't make any real effort to keep track of their passwords, and so reset via email is kind of common.
But what if you're Sarah Palin, governor of some out-of-the-way state (pop. 736,000). Suddenly you're thrust into the spotlight as a VP candidate.
Sucks for her that Yahoo's password reset questions at the time were simple: The Yahoo! account's password could be reset using shared secret questions including "where did you meet your spouse?" along with the date of birth and ZIP code of the former governor to which answers were easily available online.
https://en.wikipedia.org/wiki/Knowledge-based_authentication
Can you trust your email provider not to let your account get "stolen" from you?
I think having a discussion like this on HN is great. It gives people an opportunity to re-evaluate their current procedures.