Practice Good Online Password Security

As you may have read by now, someone recently broke into a Yahoo e-mail account belonging to Republican Vice Presidential candidate Sarah Palin, and posted pictures and several of the messages found there online. Could the same thing happen to you?

Perhaps, and it's worth paying attention to your possible exposure. The break-in occurred with surprising ease--there were no complex hacker tricks involved in getting into Governor Palin's e-mail account. Here's how it happened, why you should be somewhat concerned, and what you can do about it.

How security was compromised

Although Palin has an official e-mail address in her gubernatorial capacity, she also has at least one Yahoo address. Like any online service, Yahoo needs a way for its users to reset their passwords--preferably an automated solution that doesn't require (expensive) human involvement. With Yahoo, the way this is accomplished is by answering a previously designated "secret question" correctly. Once you've answered the secret question, Yahoo then allows you to reset your password using an online form. Once reset, you can then log in with the new password, and you're back in business. If you're a user who has forgotten your password, this is a nice time-saving feature. Unfortunately, for a hacker looking to get into someone else's account, it's also a great time-saving feature. (Note that this feature isn't particular to Yahoo; many online services offer identical password reset functions.)

So to get into the Yahoo e-mail account of Governor Palin, a hacker needed to know her account name, her secret question, and the answer to that secret question. While this seems like a very difficult thing to do, two things made their task much simpler. First, Yahoo has a defined list of only nine different secret questions--things like "Where did you meet your spouse?," "What is your favorite pasttime?," and "What was your high school mascot?" But a hacker doesn't even have to know which secret question someone is using; they just need to know the account's e-mail address, and then access the password reset page--on that page, the secret question appears next to a box for the answer. With that knowledge in hand, the hacker could then go look for the answer to that question.

The second thing that made the task much simpler is that Sarah Palin is a public figure--there's a lot of information available about her, everything from Google searches to a Wikipedia page to her LinkedIn page. So just by browsing a variety of publicly available information sources, a hacker can probably come up with reasonable answers to most of the so-called secret questions.

Armed with Palin's account name, and a set of possible answers to the known secret question, the hacker then just had to call up the password reset page for that account and enter in the answers he found. You can try up to 10 separate times before Yahoo locks you out of the password reset page for 24 hours. (You can still login at this point, as long as you know your original password.) Once finding a match, the hacker would have reached the password reset box (as shown here)--note that Yahoo states that the identity has been verified, by way of answering the secret question.

With many other online services, a hacker would have reached a blockage point. When resetting your password on many services, the service will send a confirmation e-mail to an alternate e-mail account that you provide as part of the original sign-up process. If you don't take action on the confirmation e-mail, your password isn't reset. Although Yahoo asks for an alternate e-mail when you create a new account, when you use the forgotten password page no confirmation e-mail is sent--your password is immediately reset. (I confirmed this is still true as of today, with a newly-created Yahoo account. You do receive an e-mail after you've changed your password, but at that point, it's too late.)

Should you be worried?

If you use online services that require logins and have password-reset functions, this sort of attack should be of some concern to you--especially if you're heavily into social networking, and have fully-detailed pages on Facebook, LinkedIn, Flickr, and so on. If you fall into this category, you should test the password-reset feature on your online accounts. Ideally, they should offer the following features:

A large list of pre-defined questions, the answers to which can't easily be found in public places. For instance, your high school's mascot is an example of a secret question with an answer that could be easily found. More difficult would be something like the name of the doctor on your birth certificate, or your score on your SAT or ACT tests--basically, information that you'd know the answer to (or be able to find on documentation in your home), but that isn't likely to be publicly posted somewhere on the Internet.

The ability to define your own secret question. With the ability to create your own question and answer, you can insure that the question you choose (and its corresponding answer) don't appear anywhere on the Internet. Google, for one, offers this as an option (in addition to a list of pre-defined questions.)

A confirmation e-mail sent before the password reset is processed. Even if your online service doesn't offer the above two features, as long as it requires a confirmation click from an alternative e-mail address before resetting your password, you'll be fairly well protected. A couple of the services I use do exactly this, and I've received e-mail alerts that I've requested a password reset, even when I hadn't. There's a high comfort level knowing that the reset won't be processed unless I personally give the OK.

How you can protect yourself

So what do you do if you find you rely on an online service that doesn't meet any of the above criteria? There are still things you can do to protect yourself. First, check the secret questions that the site provides, and compare them with the information you provide on Facebook and other online services. If, for instance, you're using the secret question "Where did you meet your spouse?," then you should obviously not have a story on Facebook about how you met your significant other at Manhattan Beach in Los Angeles during a volleyball tournament.

But what if you really want to share that piece of personal information with the world, and use it as your secret question? Or what if you're not sure about where that information may exist in the wide reach of the Internet, and you want to protect yourself in case it's floating around out there somewhere? In those cases, the safest thing to do is to use an unexpected answer to the question on your online service. So instead of using Manhattan Beach as the answer to our example question, use he knows where we met or that place with the sun and sand and nets. If you pick something that's tied to the event, you'll be able to remember it (or can jot it down somewhere safe in case you don't), but it won't be discoverable on the Internet.

Finally, as with most things, a little common sense goes a long way to protecting yourself. While it may be tempting to share every aspect of your personal life with 25,000,000 strangers on your favorite online service, just remember that anyone can get an account there as well, and read everything you've put up for public consumption. Beyond simple theft of online accounts, sharing too much personal information can also help with impersonation and identity theft crimes. Share, certainly, but share with caution.

Subscribe to the Security Watch Newsletter