Good ideas and conversation. No ads, no tracking. Login or Take a Tour!
- As soon as the attacker has your email address, a process on their server logs into your email provider as you and initiates an "I've lost access to my email" password reset process.
From then on, every question in your signup process for the attacker's service is actually a password reset question from your email provider.
Sadly, it's quite clever.
WanderingEng · 2730 days ago · link ·
I've been very distrustful of security questions ever since someone pointed out to me that they're essentially plain text passwords with a clue provided.you can treat all security questions as passwords and generate unique answers for each