I signed up for a site called Aggreg8 that looks like it wants to be LinkedInfor IT professionals. Apparently it’s a Microsoft site with the tagline “The social network for IT Pros.”
To join the network, I signed up for my Windows Live ID. There is a nifty widget that indicates the strength of your password while you type it. It calls your password Weak if you only have a mixture of letters and numbers. Add in some mixed case and you move to Strong. I enjoyed this little widget immensely because of the immediate feedback.
Also on the same form, I was presented with a drop-down list of potential secret questions that I could answer when I need my password reset. Mother’s birthplace? Not sure if I know that. And do I typically answer City, State? Or City only? Grandfather’s occupation? Well in my case, both my paternal and maternal grandfathers had the same occupation, farmer, which is a likely answer for many people in my generation and the one generation above, perhaps. But with two potential answers I would have to guess at how I answered. At first glance I wasn’t sure which question I knew an answer that I would give every time I was asked. And on further inspection, I realized that I didn’t even know the answers to many of the questions. I also believe that some of these are the types of questions that a social engineer could extract from you pretty easily with casual light conversation.
So, kudos for the password strength checker, but I’m not convinced the questions with secret answers in order to reset your password are going to prove useful over time. I might be more protective of disclosing my grandfather’s career path in the future, too.