Many websites these days have the option to register which in turn gives you access to additional features. The average Internet user is obviously going to either use the same password on most websites (hopefully they would avoid that on their online banking at least) or they will start forgetting passwords. To deal with this problem, many websites offer a password recovery option of some kind.

Quite a few sites ask you for a “memorable question” allowing you to select one of say five. These are usually questions like “What is your favourite colour?”, “What was your favourite subject at school?” or “What was your first school’s name?”. They rarely offer an option of “I don’t believe in silly security questions.”

Unless I happen to have a sophisticated taste in colours, it’s probably not too difficult to find the answer to the above question with a few guesses (probably even fewer if you profile me a bit). Even with the slightly more personal ones, this information is often in the public domain, particularly with the trend in social networking. These types of decisions by website developers make it pointless for me to use a ‘strong’ password since it is too easy to bypass.

There has recently been quite a bit of discussion about a distributed single sign-on solution called OpenID which is being supported by AOL, Google, Microsoft, Verisign and Yahoo among others. This might help to solve problems like this by having a central system which requires multi-stakeholder input to iron out security weaknesses in the first place.