When I first heard that Alaskan governor and Republican vice-presidential nominee Sarah Palin’s private Yahoo email account had been compromised, I was almost certain that the hack was made possible by the “Forgot Your Password” feature that’s present on almost every online log-in system.
As it turns out, I was right. Here’s how the alleged hacker claims to have accessed the account (sic):
“…after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)
the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screen[shots] that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.
I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…
Let me explain what’s wrong with the “Forgot Your Password” mechanism.
Let’s say that you sign up for an online email account (doesn’t really matter which one you choose). Now one of the first things that you’ll have to do after choosing an alias is to pick a password.
If the email provider is sensible it will enforce some kind of minimum password/passphrase strength check to prevent you using blatantly stupid passwords such as “password” or “12345” (yep, people still use useless passwords like these – these are the kinds of computer users who should have their keyboards taken away from them!).
So, for the sake of argument let’s say that you pick quite a strong password, such as “X4thg%la3” which consists of upper and lowercase characters, digits, symbols, and is over eight characters long. You then make a note of the password somewhere safe (more on this in a moment).
The next stage in the registration process is to ask you for password recovery information. This is where your strong password becomes irrelevant, because if people know what your mother’s maiden name was, the name of your pet, your favorite color or how you met your spouse, it’s trivial to bypass your strong password by using this secondary information to gain access to your account.
It’s a bit like having a bank vault door fitted to your home to keep bad guys out, but leaving the window open in case you forget your keys.
So, how do you strengthen your online accounts and prevent your information from falling into the wrong hands? Here are some top tips:
1.) Use strong passwords! Strong, well thought out passwords are your first line of defense! Eight characters or more, and use upper, lowercase, digits and if possible, symbols.
2.) Treat recovery information as a secondary set of passwords and not as an easy way into the account. So if you are asked for recovery information that is known to more people than just yourself (for example, the name of your pet or how you met your spouse), use strong passwords again as responses. So when I’m asked for my pet’s name, I might respond with “i8&rbl2W1.” No one is going to be able to guess that!
3.) Store all your passwords in a safe, secure location. I use a program called PasswordSafe which is free (open source), easy to use, secure, and allows you to make easy backups of the password database and even migrate the databases onto multiple systems. PasswordSafe will also generate secure passwords. Since you’ll have all your passwords stored safely (and backed up), you’ll never need to use the “Forgot Your Password” feature to get into your account.
4.) Update your passwords regularly. The more you use a password, the more likely it is that it could be compromised. It’s a good idea to update your passwords regularly. A good schedule is every 6 – 12 months for low-importance passwords, and every 3 months or so for anything important.
5.) Don’t reuse passwords! That way, if one password is compromised, the damage is contained.
6.) Watch out for spyware!Scan your systems regularly for spyware and keyloggers with a good quality antivirus and antispyware program such as VIPRE.
7.) Be wary of public WiFi and terminals. A system that’s not under your control should be viewed with suspicion. Be mindful that keyloggers might exist on systems at internet cafes and make sure that you use HTTPS/SSL to login to important accounts over public WiFi.
8.) If you still want to use the “Forgot Your Password” features … then consider using information that very few people would know. Your favorite color or the name of your first pet might not be known to many people, but be careful that you don’t inadvertently post this information onto your Facebook profile, on MySpace or in a blog! Also, try to have a disconnect between your username and your real identity … so email@example.com is more anonymous than timothy_j_boyman@ somethingorother.com.
Stay secure, and keep your private information private!