Schneier on Security
A blog covering security and security technology.
« The Two Classes of Airport Contraband |
| $20M Cameras at New York's Freedom Tower are Pretty Sophisticated »
September 24, 2008
Sarah Palin's E-Mail
People have been asking me to comment about Sarah Palin's Yahoo e-mail account being hacked. I've already written about the security problems with "secret questions" back in 2005:
The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It's a great idea from a customer service perspective -- a user is less likely to forget his first pet's name than some random password -- but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public. (I'll bet the name of my family's first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions.
The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.
EDITED TO ADD (9/25): Ed Felten on the issue.
Posted on September 24, 2008 at 4:01 PM
• 61 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I've said it before, sloppy thinking is the answer. At one point I accidentally used my childhood best friends' first pets' name rather than my own first pets' name. The chances of anyone guessing that are very very very slim indeed. Now giving wrong answers to *some* of the security questions is part and parcel of my strategy. I also use long passphrases that include acronymns, misspellings, and random characters.
This is only true in automated secret questions. I find secret questions highly effective for authenticating only in person or over the phone whereby brute-force and dictionary attacks are thwarted. For instance, a bank must somehow authenticate the customer who forgot an online password. If the customer refuses to give their SSN, a secret question "in-person" is a worthwhile alternative.
Unless your friend's pet's name was something like "MrwJo&8\5cI8" that question is still vastly easier to guess than an actual password. Get a database of pet names, and start trying them out on accounts. It can be automated, and throttled to avoid raising suspicion, and then you wake up one fine day and your account has been cracked.
Fortunately, this type of security problem can be solved by the end user. You just have to have a program like password safe, keep a record of your secret question answers, and make the answers random sets of characters unrelated to the questions:
What city were you born in?
I've had several sites (credit card sites to boot) that I had been using for years suddenly insist that I specify answers to continue using the site. Grrr.
I'm always nervous about security questions because I'm not sure I'll answer consistently (some of the questions do not necessarily have the same answer throughout one's life). Did I spell out Indiana in the city of birth (terrible question)? Did I misspell my preschool name with the cute mispronunciation I used at the time? Did I spell out the and or use an '&'? etc. I'm happy with the password, thanks.
Secret questions are better when you can use your own question instead of one of their canned examples.
This still relies on end-users to not be dumb, but it gives them another chance to protect themselves.
Also, on the list of 30 most popular pet names, of the 9 cats and 5 dogs I've had in my life (that I was able to have an influence on the naming of), only 1 of their names shows up on the list. If you add the other 1 cat and 2 dogs named strictly by my parents, the number jumps to 2.
I often use one of my pet's names in the "what was your favorite pet's name?" question because it isn't a very common name.
I've gotten to where I treat the secret questions as passwords themselves. I use the same techniques to prevent attacks. And I write them down in a book at home so I can remember the secrets.
This book is the same book I store my passwords in, so in reality I haven't gained anything. If I lose the book I lose everything. I'll never remember the answer to my questions because it has no relevance to the question itself.
I guess a program like password safe might help, but I've found the simplicity of writing it down in a safe place to be the best option.
For throw away accounts I just enter random stuff that I'll never remember. If I forget the password I'm hosed, but at least a hacker won't be able to grab my account either.
I've heard it reported that Google adds an additional factor that notably improves the use of the security questions.
You are only allowed to use the password reset function if the account has been idle for five days. The support team cannot waive the waiting period. This makes it almost impossible to use the reset function on an account that is actively in use.
Maybe we should have a secret Jeopardy. Instead of having to fill in the answer, we are given an answer and we fill-in the question :-)
This would be much harder to guess. It is a kind of a one way hash. The answer is the hash and the question is the original data.
I typically battle this by coming up with three or four secure passwords for each site, then I just put a random secure password in for my first pet or mothers maiden name. It's not easy to guess if it's a lie (and especially if it's not even the expected type of response)
What about the lapse in security of using Yahoo to conduct state business? If she had been using the Alaska state email server this type of attack would not have occurred.
This is probably an incredibly dumb question but; Bruce, if you could write a primer on password/account safety that every person had to read before using the internet, what would you tell them in terms of plain, practical advice?
Feel free to simply point at some other source where you feel you have already laid this out.
@Sleep Deprivation Ninja
I do pretty much the same. Generate random garbage, at least 20 characters (more if the password is longer), and fill it in for each secret question. As long as the entropy of the secret answers is equal to or greater than that of the password they are no less secure.
Of course, I use KeePass, and make regular backups of the database, so I don't really care about losing passwords.
I try to treat "secret questions" as just another opportunity to put in another password.
Unfortunately, companies love "Challenge Response Questions."
Ultimately companies that provide authentication for services want a way to "secure" customer's data but without hassling them. We've had potential customers tell us we need to allow for 3 character passwords.
My biggest gripe about CRQ is I believe fail the "Something you know" factor.
Quite a few people know the city I was born in. Suprisingly a number of my highschool friends know which highschool I attended. Everyone of my siblings knows what my mothers maiden name was.
While the random attacker may not have access to this information, a focused attack by someone passibly familiar with me, might better guess.
It boils down to something I believe you've touched on before: Security sucks for the end user.
As has been written on these pages many times, security must be judged by the context it inhabits. Yahoo mail is a free email service that allows casual communication between parties when one or more does not wish to pay for email. The level of security is determined by what Yahoo can provide for free. This security is good enough because the casual miscreant is not going to target some random account that likely contains nothing that is of interest to the worlds major newspapers or bloggers. Furthermore, if we apply the cost analysis where we multiply the likely hood of the event time the cost to repair the damage, we would find that the security budget to be infinitesimally low, about the price of a Yahoo mail account.
What happened here is not an issue of 'bad' security, but an issue of the rapid escalation of the value of information. Overnight Sarah Palin not only became a major and controversial celebrity, but one with something to hide. Upon allegations that she used private email for government business, the Yahoo account was no longer a random account of a casual users, but a specific target with valuable information. Yahoo security, which was not designed to protect government communications, simply was insufficient for the task. I do not think this means the Yahoo security model is flawed. It does not mean the automated resetting of password is not a reasonable compromise for a free email service. What it does mean it that it might not prudent to conduct privileged communications over free email channels that are optimized to minimize costs rather than maximize security.
Some of the security questions are pretty hard to guess if you were born in Atwood, Kansas and your mother's maiden name was Grobaryk. Not so hard if she was Mary Smith and you were born in New York City. And as mentioned above, even someone with an obscure name from a small town is vulnerable to an attack by an acquaintance or family member.
But fundamentally it comes down to the problem that we don't tend to have easily accessible but hard-to-fake primary identifiers, so even the most secure authentication protocols have to rely on much less secure ones. It's the same issue as with identification documents: completely unstandardized, easily-fabricated birth certificates can be used to get highly secure, trusted passports.
I've found that CRQ's mostly fail on the "Something *I* know" factor.
One of my cc's requires you to set up something like ten CRQ's, and occasionally makes you answer three of them.
I don't have a favorite movie. I don't have a favorite television show. I don't have a spouse, so he doesn't have a favorite color. And so on. Of course, the setup step is not optional when you encounter it, so you end up making up responses just to get past the dialog and do whatever it was you originally meant to do. The three-of-ten thing is well-intended, but because the questions are ill-chosen, they only reduce account security without actually adding any convenience.
Hm, maybe I'll crosspost this to customer service. Aaaand maybe they'll laugh at me.
I always use the same answer to all these secret questions.
Name of first pet: jesus
Your favorite movie: jesus
Spouse's favorite color: jesus
Of course, this is very secure: I'm an atheist.
Google lets you pick your own secret question, which seems vastly superior to a fixed set. I can pick questions only I could know the answer to. In fact, my "secret question" is actually three questions.
Secret Questions: legally, you might not have ANY expectation of privacy. 3rd parties to data services, national security letters, GRR, ISP and lawyers abuse discovery and everything they can. GRR.
Considering that email can be used against you in court, the mind wonders why people do not use private email services.
Other thing, when will the USA respect infrastructure? If you host servers for people, the feds, can be a major hassle, screws up incentives. We all pay for this.
Should be if not password + certificate, then no access. Everything in the USA is a joke.
that is exactly why my secret questions have never anything to do with the answer.
the answer has never anything to do with answer in my case. just need to know what questions answers what and how is the question exactly aNw$sw3rin! that question (with all the keybaord, with all the logic you want).
If you can supposedly make your porn star name with the first street you lived on combined with your first pets name, and it comes out completely predictable; I don't think it's possible for it to be secure.
I think a more important issue is the chain of trust. How many online 'accounts' trusted Sarah Palin's Yahoo! email account? Could the attacker have found out what purchases she'd made? Movies she'd rented? Or, heaven forbid, gotten access to official government information?
The fact that she picked gov.sarah and gov.palin as private identities leads me to believe that she doesn't have a clear understanding of the seperation of official and private. I would not be surprised if she used the same password, or similar, between her private and professional personae.
Like the other commenters above, I use PasswordSafe with garbage answers for my secret questions. But I try to have some fun, in the off chance that a real customer service rep takes a call from me some day. What high school did you attend? Central Wisconsin Prison. Where were you born? Back seat of a NYC cab. That should be good for a laugh.
"Some of the security questions are pretty hard to guess if you were born in Atwood, Kansas and your mother's maiden name was Grobaryk." -- ColoZ
And even that fails if you're a public figure. If I want to know Sarah Palin's place of birth and mother's maiden name, I have to look no further than the first sentence of the biography section in her Wikipedia entry:
"Palin was born in Sandpoint, Idaho, the third of four children of Sarah Heath (née Sheeran), a school secretary, and Charles R. Heath, a science teacher and track coach."
"Bruce, if you could write a primer on password/account safety that every person had to read before using the internet, what would you tell them in terms of plain, practical advice?"
If I remember correctly Bruce wrote an article on it and has posted a link a number of times in the past.
But not just Bruce many others as well.
And when you have read them you will come away thinking the same thing.
THE PROBLEM WITH PASSWORDS IS HUMANS.
Basicaly the avarage human cannot easily remember a "trully random" string of charecters of sufficient length to be secure.
Therefore a method has to be picked whereby they can remember a "pesudo random" string of charecters that is sufficiently long to meet the security requirments...
And yes it's a hard problem, in evolutionary terms reading and writing are very much new tricks to the old dog and our brains are not best suited to it.
What amazes me is that humans are way better at other things such as remembering the faces and voices of friends, places, which is why we love pictures and music etc.
These abilities had to be very strong in humans from very early on in our evolution (as our sense of smell is no good) and therefor we are way way better at it.
In an interconnected world that increasingly uses graphics and sound as a norm isn't it time we ditched alphanumeric passwords and found a solution better suited to humans in general (and no I do not mean biometrics).
And yes I'm aware that whatever you do will disadvantage one or more groups of disadvantaged people, so more than one method should be available.
For argument, having the option of pictures or sound would cover the majority of current Internet users.
The thing is there have actually been prototype systems developed by students and others that are "provably" better than passwords and pass phrases.
But they all tend to have costs such as storage or bandwidth which has been used as an excuse not to use them in the past and currently.
So for give me if I conclude the second biggest proplem with passwords and phrases is that they have become embedded to firmly in system designers heads and they love them like a favourate itch.
@ Roger Moore,
"... and Charles R. Heath, a science teacher and track coach."
Surely this must be false information ;)
As a person not native to the U.S. I have been lead to belive by those working for Rupert Murdoch and Ted Turner that it was not possible to be both a "jock" and a "nerd" in a U.S. accademic institution.
The person discribed obviously cannot fit their Republican mold. After all I had been led to belive that "a good Republican body was riddled with phlebitis" 8)
High School coaches are often not jocks. They are just teachers that want to earn some more money. They might not even know a lot about the sport they are coaching.
High School sciece teachers are often not nerds. They are just teachers who got stuck teaching science class. They might not even know a lot about the science they are teaching.
I forget my password, the secret question can verify my identity but some time I forget the answer of the question. ah, it is too sad.
I named my cat Felix');DROP TABLE users;--
This might entice some to think twice about their security ;)
(courtesy of http://xkcd.com/327/)
"What about the lapse in security of using Yahoo to conduct state business? If she had been using the Alaska state email server this type of attack would not have occurred."
That wasn't a lapse in security. She deliberately used Yahoo in an effort to get around open government laws.
Some old Epic Fails in Security, but the "Multi-Factor Authentication Enrollment" seems apt.
Using insecure email and other data practices by politicians is irresponsible. Too easy to hack to influence or manipulate everything. Nothing like 1 0 puppet masters.
I guess the next excuse is, my computer/account was hacked and I was mislead.
Until USA respects computer security, (that is also you private corporations, FBI, NSA, etc) we are stuck with irresponsible data and decision handling. Sure fits everything of the 2000+ political environment. Abuse of information, makes a unstable world with boarders, and dangerously gamed. Financial crisis sure fits the boot.
1 Trillion for military spending, not a penny for sound policy or even the chance of secure computing.
A world run on data and information, with no accountability as a postive.
I guess the copyright police will make us secure our computers to protect ourselves from them! A nation of incentives, wow! Perhaps congress will solve this problem and solution as well!
Micro$ofting: historical definition: soft insurgent pervasive, insidious evil. Found during the power grabs of the 2000-2008 era, almost resulted in the destruction of the USA and maybe the world. Leadership motto: 'Their first mistake was to trust us.' Other perspectives: WWII, and appeasement.
I get so annoyed at having to provide these security questions (which reduce my security) that when I went to sign up to receive my electric bills online, I put "Do not allow access with a security question! awefoawefmawefomawe", or something to that effect, as my security answer.
Wouldn't you know it, the next week, I forgot my password..! :). Luckily, I was spared the embarrassment of calling their support line. When I didn't pay my electric bill for that month (being unable to view it), and they automatically assumed that I'd been locked out and switched me back to paper statements.. :).
I will curse XKCD forever for publishing that cartoon.
"High School coaches are often not jocks"
I had assumed that and was joking about the portrail of U.S. life by various film4TV and movie companies. Owned by the two Republican supporting media barrons Rupert Murdoch and Ted Turner. One of whom is considered by many in the U.K. And other parts of the world to be about as close to the Spawn of the Devil as it's posible to get whilst still breathing...
bruce, i usually answer my backup security questions (like mother's maiden name, favorite president, etc), with randomly generated meaningless passwords, and record the answers. i think this is a good solution to the problem.
I think rcox hit the nail right between the eyes, as they say. Yeah, yahoo secret question challenges are fundamentally insecure. But that's not the point. The point is to provide a system where users of a free email service don't clog up the costly tech-support people's time with password resets.
Personally, I do the same thing everybody else talks about: I use strange answers to the secret questions that nobody else could possibly guess. I remember what kinds of questions I use and what answers I use for them, so the repetition is a bit problematic, but I assume that as a low-priority target I'm not likely to be singled out for a concentrated attack. If they want my gmail that badly, they can have it.
But this illustrates the other side of why government officials should conduct their email business on government servers. Not only do we need to archive them for future review, but we can probably assume they're better about security there.
Note that the example of pet's name was just a general example, not the actual question in the incident I described. Though even if it were, my friends family had naming habits that made Frank Zappa look normal. I doubt any pets name database includes things like "Buonapieste D. Mayonnaise the Thirds". Also note that this is not the entirety of my securitization strategy, nor even a critical piece. It's just the most entertaining.
"What about the lapse in security of using Yahoo to conduct state business? If she had been using the Alaska state email server this type of attack would not have occurred. "
This is the real issue that seems to be falling under little or no scrutiny. Using Yahoo for official business to consciously avoid public disclosure laws. This tactic is used by the current White House (they used RNC mail systems instead of White House systems that are monitored).
You are right, but you also have to remember, this wasn't a mistake, it was a deliberate move to avoid oversight.
The fact that someone guessed her reset question, how or why he did it, etc seems trivial by comparison to the reason why she was using Yahoo in the first place.
//I've heard it reported that Google adds an additional factor that notably improves the use of the security questions.
You are only allowed to use the password reset function if the account has been idle for five days. The support team cannot waive the waiting period. This makes it almost impossible to use the reset function on an account that is actively in use.//
That is incredibly stupid. I use an automated password manager to log into many webforms, including gMail, so it would be easy for me to accidentally lose my password through a computer failure. Making me wait a week to access my account through a password reset is insane.
"That wasn't a lapse in security. She deliberately used Yahoo in an effort to get around open government laws."
So that would make it a lapse in judgement.
Yahoo! has a huge problem here. I can log into my yahoo account, but I can't disable or change the secret question.
This is seriously seriously bad. Even if someone wants to plug this security hole, Yahoo won't let them.
WTF is *wrong* with these people?
"... a lapse in judgement"
Only if she did not expect to be part of the ruling class that has made itself immune from the consequences of lies, corruption, even treason. If she expects to be pardoned for whatever she does, then she made an appropriate choice. Given the last two elections, a hand-packed SCOTUS, and Scooter Libby's pardon, that's a reasonable expectation.
Moving (along the line) from politics to actually germane security issues, what effect do you think Sarbanes/Oxley really had on data-retention and security in the U.S? I suspect that it probably had this sort of effect: documents that are needed for the conduct of business are kept on insecure "shadow" servers, and difficult for folks who need them to access. Not that the C-level folks care, as long as they can't actually be convicted of fraud.
BTW: none of my first several pets _had_ names. Designators like "the turtle" and "the frogs" or pointing a finger had to suffice. :-)
The thing that strikes me is that these secret questions are -exactly- like the hacking scenes you used to see in movies, where the assailant uses their knowledge of the victim to try to guess the password to open their super-secret files.
Is it their eldest's birthday? Their first dog? Their lover's name? The year they graduated from college?
Only now you know exactly which piece of information they used.
The "Favorite" questions always are a pain, as with time my tastes have changed. I'm left asking myself... "When did I create this account?" and sometimes "Did I give the answer in English or Japanese-Romanji?"
The entire situation is pretty bad. You don't know how insecure something is until you breach it. When you do breach it, you get an adrenaline rush which just isn't conducive to making wise decisions. It's pit trap for the inexperienced. I feel sorry for the hacker, this is going to have real consequences, there are a lot of people out for blood who aren't going to be interested in taking his inexperience into consideration. Not to mention that an excessive prosecution will have negative effects on those coming up in the community. Those coming up will be left asking "Why should I be white-hat if when I make a mistake they will throw the book at me? If I embrace the dark, it's so much safer [because of all the unethical ways I can cover my tracks]." They will see the moral of this story as "Use better proxies" and "Post it with a dedicated nickname". The moral they should be taking away is "Think about what you are doing and the consequences at ever step of the way, don't get carried away. Take your time, think ahead."
I find it funny with the DOJ's position on email retention and privacy. They eroded the privacy guidelines (by changing the interpretation) so businesses could read their employees emails. Now those prosecutorial guidelines are going to bite them in the butt.
If you want to communicate with readers of this blog, try hitting return twice between paragraphs. It only takes a second and it will make your comments much easier to read.
It would also help if you took the time to organize your thoughts and write clear, focused sentences. It's often hard to work out what your point is, and I suspect that many people are not bothering.
Also, please pick a name and stick to it. Thank you.
I approve your saying on the random password for a chosen question but this means that you need to travel with your passwordSafe tool (which is a great and fabulous tool - thanks for that).
Best secure answer is an answer that do not mach with the question. But what do you think about an answer that is generated by the question with a personal seed.
Say that the question is: "What city were you born in?". choose a personal word or sentence "my secret word" and the answer of that question could be:
length(question) mod length(word) = result
28 mod 14 = 0
the answer woud be 28mod14=0
The hacker needs to now that the chosen answer does not correctly answer the question, he has to know the function and constants.
Unfortunately, while that is unlikely to be "cracked" by a human being trying to guess your response, answers like that are trivial to brute-force. Most such interfaces don't give penalties for wrong guesses, and it is possible for a scripted attack to make hundreds of trials per second. Over the course of a week or so, that amounts to hundreds of millions of trials. A two digit number will probably be guessed by the attack script within the first few seconds.
A secondary issue is that if you can memorise your 14 character "secret word", why can't you memorise your password? Certainly, we can come up with schemes where the recovery question is MACed with your secret word using a pencil-and-paper cipher. That could be secure; but it is also far more complicated than just memorising a strong password in the first place.
So we get back to the same problem we had before: anything that a human being can recall easily and without error, is usually trivial for a machine to guess UNLESS it is very carefully constructed to have a high ratio of entropy to mental effort.
@ Bruce: there is an """ (without the "" ;-) ) too much in the Ed Felten link.
About the actual topic:
I dont see why I should use this feature at all. If I have to type in my favorit color or pet name or whatever, I type:
I only use the primary PW and save it in KEEPASS-X, a passwordsafe.
I am sick of secondary security questions asking about my pet, city of birth, boyfriends, teachers, grandmother's maiden name, etc. The banks and ISPs already lose my standard security data to thieves or through carelessness. Why should I give them more? How many customer IDs did these guys lose through bad employees, carelessness, or idiot subcontractors? Bank of America, AOL, Bank of NY, VISA/MC, Internet Solutions/Internic, eBay, Amazon, 800flowers, etc. They should clean up their security and protect their customers so dozens of ?s are not needed.
To complite my answer, the script attack won't work because it does not know the function and the constant. As I told before, the answer is "28mod14=0" not "0". The password (constant) "secret word" could be my "phone number" or digits. The function could be "(28-14)mod3=2" or even (28-14)*2=28"
OPM (Office of Personnel Management)
Has an electronic application process for national
background checks required for clearance.
They have what I think is a gold standard for
Golden Questions interface. The website is very
clean and will work in any crippled browser. When you create your account you only get
Golden Questions, IIRC. You get asked questions whether on not your account actually exists. When you complete the first step and setup your questions, you can choose any questions you like, and any answers. They give very good written guidance on how to write ones you can get right later. I found it possible to construct several questions I think I could still answer today that I think nobody else could. Because of the nature of the site. It is resonable to just prevent access if too many bad guesses are made for a given user. So
brute force is not really an issue.
Essentially, they avoided password reuse and password writing down.
They got a durable hard to forget information.
They got decent identity binding (with an OOB process to initiate not described here) ...
All in all I was impressed with the process.
(There were other things I liked about it as well)
So, Golden Questions have there uses when done right.
When the fail is when they:
1) leak information about an account existance
by not presenting questions.
2) Don't allow users to create questions or discourage users from creating good questions (mine were slighty personal, but not embarrassing either).
It was fundamentally the right system for that application, IMO.
Passwords aren't always the right way.
When done in a typical fashion, forgotten password Q&As are not simply backup passwords. At least not when used in a somewhat sensible fashion. Whether Yahoo does it this way is irrelevant as that just would indicate they don't use this very well at all.
A password can be entered by going to a web site and filling out the login page. This requires the knowledge of the userid and password typically.
You can do this with forgotten password Q&As typically. Instead, you first have to request the forgotten password function, and that function then sends an email to your email address with a unique link that allows you to enter attempt the forgotten password Q&A.
So before you can break the Q&A, you have to already have hijacked the user's email account. If you've hijacked the email account, then yes, you can likely get through this, but then again, only if you can guess the correct answer, easier or not.
Like password systems, most will not allow you to attempt any number of them. Most systems will lock you out of guessing passwords so you can't just try them indefinitely. The same goes for the forgotten Q&A -- there would have to be limits on the number of guesses before a manual reset would be required.
This is typical of those who build these with any hope of reliability. Anything less invites attacks, but guessing passwords is pretty much impossible when you only 3 attempts -- password cracking never is that easy.
Of course, if the value is bad and the guess is lucky it could happen.
With Palin, she can't even remember meeting with a head of state last year, so her password was probably wasn't chosen with any sophistication.
Did she not undoubtedly violate the state's information security policy by using an unofficial email server for state business?
> the answer is "28mod14=0" not "0"
Sorry, I misunderstood you. However, it doesn't make much difference. If the attacker knows the basic scheme you used (and he does know, because you just published it on a blog), then the only blank to fill in is the 14. All the rest of the information is either a given, or trivially derived from it. So it is no harder to guess than just guessing two digit numbers.
Of course as you also suggest, you can use a variety of binary functions instead of just mod. However, there aren't that many simple ones to choose from; this maybe makes it 20 times harder to brute force, which still isn't very much.
You could, ultimately, come up with a really cryptic function (perhaps even a MAC, which is what you're actually trying to do here!), but we fall back down to really secure schemes being no easier to recall than good passwords.
Completely removing the secret question part and only having password reset via e-mail would have been a better choice here as the risk is comparatively low for the latter. User's should always have a fallback e-mail address that only few people or nobody know about.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.