Yahoo could also have followed Gmail’s lead, and disabled the security-question mechanism unless no logged-in user had accessed the account for five days. This clever trick prevents password “recovery” when there is evidence that somebody who knows the password is actively using the account.
Sign in with 
OpenID
So when someone guesses my badly-chosen password, logs in and changes it, I have to wait until they've left my account alone for 5 days before I can recover/reset "my" password with the security question I set up specifically for that purpose?
Schmoo - 23rd September 2008 00:24 - #
@Schmoo: The security question isn't usually meant to be used as a "hacker recovery" device. That sort of problem is more properly handled by contacting the service directly, I'd think.
Personally, I wish that services implemented the option of disabling the security question entirely, instead of having to fill it with random strings to try to make it extremely un-enabled. But this sort of "waiting period" measure would decrease my worry about the insecurity slightly.
Anon - 23rd September 2008 03:47 - #
@Anon: I know, but have you ever tried to contact the service for this kind of thing? "Meant to" doesn't come into it :)
Schmoo - 23rd September 2008 09:53 - #
So if i forget my password I can't get my mail for *five days*???
Bob - 23rd September 2008 11:23 - #