From time to time, someone points out that the security of most ID/password-based website authentications actually depends on the (quite unrelated) security of the user’s primary email account… in the sense that that’s where most of the password reset confirmation messages get sent.
In fact, it’s worth assessing the risk of just how many sites you could be locked out of, if (say) you could no longer access the email account(s) you specified when you registered with them.
I see the folks at Facebook have thought that problem through, though: one of the options you have on Facebook is to recover access to your account if (i) your Facebook password has been lost/compromised; (ii) the email account you registered with has also been hacked.
Under that unhappy combination of circumstances, you will be relieved to know that all is not lost… you can ask for your password reset confirmation to be sent to a completely new email address. To do this, you will need to know:
- the email address you originally registered;
- your full name on the Facebook account;
- your date of birth;
- the URL of your hacked profile.
It doesn’t take much research to conclude that those four pieces of corroborative data are freely published by quite a lot of users, either elsewhere or on their Facebook profile itself. And that, therefore, this procedure is also open to anyone sufficiently motivated to hi-jack your Facebook account.
Perhaps this is the design you end up with, if you start from the premise that “privacy is no longer the social norm”.