We see a lot of coverage about how you need to have a "strong" password for all of your accounts, and you do what you can to create one that you remember. It's not easy, different people settle on different patterns; compilation of birthdates and/or names, acronyms that should only make sense to you, or the ever popular favorite 6-8 letter word with the first letter capitalized and a number between 1-99 added on the end so we can increment it easily and still meet the minimum requirements of a "strong" password... (You know you have done that before...) Humans are built to be patterned based, and we will each find our own pattern to follow. That's why many times, once one password to one site is compromised for a user, it isn't too difficult to start breaking/figuring out others and it snowballs from there.
What we don't see a lot is how to protect the backside of your account, the "Forgot Password" functionality. I see way too often that the forgot password option asks the user to setup questions that the legitimate answers are public knowledge. This really defeats the whole purpose of trying to identify the user with a high level of assurance that they are who they say they are. It is supposed to be "something you know...", but what is left off is the rest of the saying, " ... that others don't." Standard questions in the forgot password section don't really help: "Where did you go to high school?", "What is your dog's name?", "What is your favorite color?", and other similar questions. For many people, the answers to these questions are often in public record for others to see. Forum posts, Facebook status updates or the never ending cute surveys of "25 things about you", and many other places contain the answers to your forgot password questions... On top of that, many times the forgot password option allows someone to type in the email address they would like the password (or reset link) to be sent to. I understand that sometimes the user might have changed email addresses, but this makes it oh so easy for someone with less than honorable intentions as well.
Sometimes I try to answer the questions with answers that don't really seem to make sense so that they can't be easily guessed, but sometimes my answer is hard to remember. I like the sites that let me type in my own question and answer, this allows me to pick questions/answers that should (hopefully) only make sense to me. Now, I know that for some people this may not work that well as they may enter really simple questions so that it is easy for them to remember, but I like having the option.
As we get further and further into the information age, and more and more information about us is publicly available, this is getting harder to implement the "what you know" authentication factor with a high level of assurance.
