Good read and it's true too. With all these useful reconnaissance tools out today like Maltego, all attackers have to do now days is do some information gathering then own your e-mail accounts. This definitely sounds like the way I'd go depending on the computer literacy of the user I'd be attacking. Of course there's always other ways of getting passwords like phishing, but if a user knows their shit on creating passwords this is the thing to do. Personally besides Maltego, I've found target MySpace Accounts that hold juicy personal information about the target and if people were to get there hands on it could be useful for going the 'Forgot My Password' route. Of course when going this way, Social Engineering will be useful too.

I see what you mean with the bank and using information when registering that is false but can be remembered by you, and highly agree. I'm just saying in the past, I've been able to retrieve the birthday, zip code, and the answer to peoples secret question, but then again they weren't exactly into security and even stated the high schools they attended, etc.

This is one of the oldest "hacks" around for personal email. I have used it myself on occasions when I was asked to test the security of personal emails.  I usually recommend false data to be used for your password reset.

I don't trust them, but my dog keeps digging up the mason jars I buried.  What can you do?

I tried resetting password of some random people that I found on google. And I have about 25% success rate(although I didn't actually reset their passwords, I just went upto the password reset page after answering the secret question and closed it).

Scary, isn't it?

I agree that some sort of multifactor is the fix, at least for the short term.

 the problem is how do you pay for all those keyfobs, business have money to do that or have a vested interest is protecting its customers from harm especially when that harm usually means losing business so they may give them to their users.

free email services make money from advertising, i doubt yahoo will be handing out keyfobs and i doubt the majority of yahoo's free email service users will be shelling out the money for them either.  so what are we to do?

As far as free email accounts are concerned, If you follow good password rules along with false password reset information you will be fine in most cases. Your main concern then will be keyloggers. Never check your email from a public computer, say for instance like one in a hotel lobby Someone I know just did and there was a keylogger installed that captured his email password which in turn allowed whoever it was to transfer a large amount of money from his Etrade account.  Your second concern would be checking your email from a free wifi hotspots where you might encounter fake login pages or session captures. Session captures with tools like ferret, etc...work ok in lab situations but are tricky  to do in the real world, at least in my experience and are still rare so I am not as worried about those at this time. However I am sure in time it will improve and become more popular.  I guess if we really want to get paranoid, we can worry about sniffers being placed at the ISP , which is not a bad reason to to encrypt actually.

I am sure everyone has read this about Sarah Palin on the Errata security site:
The "hacker" saw the e-mail address "gov.sarah@yahoo.com" appear in a Washington Post story about the Governor. He tried the password recovery tool and found the question. He googled for information about the answer. After a few tries like "high school" he finally got the right one, "Wasilla high".

 If you feel inclined to use a free email service, use Gmail. For instance while Yahoo will give up your secret question to anybody who asks for it, Gmail will only give out your secret question after 5 days of inactivity on the account. Not a huge security advantage but still little things can add up to frustrate some attackers.