During the US Presidential election, when Sarah Palin’s Yahoo! email account got hacked, two things became apparent: First, don’t use free public email accounts for business, and second, be careful of the “secret question” password recovery tool. The latter allowed the hacker to gain access to Gov. Palin’s account.

Microsoft released a report this week highlighting just how vulnerable the secret question gambit really is. Sure, password resets take up time, but letting end-users retrieve them on their own this way is just a bad idea. Microsoft’s study, which was reported on in the New Scientist, showed that the secret question is often easily guessed. The study looked at webmail users’ acquaintances, and asked them to try to guess the secret question of the webmail user’s account. The acquaintances guessed right about 20 percent of the time.

But you don’t have to know the person to make a good guess. Social networking sites are typically full of personal tidbits of information. What’s your dog’s name? Chances are, if you’re a dog lover, you’ve posted a few pictures of your pooch here and there, and have mentioned the lovable mutt’s name a couple times on your blog, Twitter, or social networking page. It’s easy to find. What was the name of your high school? That’s an easy one to discover. Ever hear of Classmates.com?

The Microsoft study recommends an alternative to the secret question, which involves a user selecting multiple individuals to act as trustees; if the user gets locked out, they ask the trustees to download a recovery code. The user collects the recovery codes, and then can gain access to the account.