One attack on services, which use personal questions as a backup form of user verification, works well for high-profile users of these systems. The attack is very simple. Go into the password recovery page, and use Google to look up the answers to the personal questions asked. There is enough Googleable data around for high-profile people, and perhaps not so high profile people, that the attack can be successful often enough to be useful. My sources say Sarah Palin's email account was breached using this attack.
Cheers - Bill --------------------------------------------------------------------------- Bill Frantz |"We used to quip that "password" is the most common 408-356-8506 | password. Now it's 'password1.' Who said users haven't www.periwinkle.com | learned anything about security?" -- Bruce Schneier --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]