What is your favorite color?
If this is true, it’s a perfect example of why most “secret question”-based password recovery schemes are worthless. Most of the questions are easily answered from public knowledge. And that’s how Governor Palin’s Yahoo account was hacked:
it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)
the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.
I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…
This is Yahoo’s fault; it’s hard to blame them, though, everyone does it. We do it at the university I work at. Even my bank does it. (And no, I didn’t answer them correctly. Please don’t hack my bank account.)
Yahoo and everyone else need to change their policies here.
Oh, and what did the hacker get from Governor Palin’s e-mails? Nothing:
I read though the emails… ALL OF THEM… before I posted, and what I concluded was anticlimactic, there was nothing there, nothing incriminating, nothing that would derail her campaign as I had hoped, all I saw was personal stuff, some clerical stuff from when she was governor…. And pictures of her family
So they posted private pictures of her family to the net. Congratulations.
“Surely Obama must have done it, him and all his computer literacy.”
- The story behind the Palin e-mail hacking
- “A tech-savvy reader who monitors the hackers’ site e-mailed me a detailed explanation of how it went down, who was responsible, and how someone with a conscience warned a friend of the Palin family of the crime (language warning)”
More insecurity questions
- Security is hard, and 2FA is not the answer
- Is 2-factor authentication the magic bullet in security? Not unless we solve the real problem, which is that people always take the easy way out—and that includes service providers.
- Security questions will always be insecure
- Insecurity questions are insecure because their purpose is to allow access to someone who does not know the access credentials. This trait is shared by zero or one person who has forgotten their password, and an infinitude of people who never knew it in the first place—because they shouldn’t have access.
- Are insecurity questions designed to help hackers?
- Insecurity questions are being modified to make them easier to hack and harder to remember. It’s as if they’re designed to help hackers and frustrate forgetful account owners.
- Insecurity Questions enable harassment and abuse
- Insecurity questions are designed specifically to let someone who does not have your password access your account without having to talk to a human. The idea is that that person will be you after you forget your password, but the computer does not care. Anyone or anything with that information can access your account.
- Allow men to impersonate exes, transgender activists say
- Some transgender activists want banks to reduce the security on bank accounts, enabling abusive exes to access their victims’ bank accounts.
- Two more pages with the topic insecurity questions, and other related pages
More technology policy
- Why should everyone learn to program?
- Anything that mystifies programming is wrong.
- Macs still easier to use?
- Twenty years down, does buying a Macintosh still save help desk time and user trouble? According to IBM, it does.
- Copyright reform: Republican principles in action?
- Their initial copyright policy brief was a brilliant example of how Republicans could tie small government and freedom to actual, concrete policy changes that will help the average person—while at the same time cutting the rug from under their traditional anti-freedom enemies. It was far too smart to last.
- Health care reform: walking into quicksand
- The first step, when you walk into quicksand, is to walk back out. Health providers today are in the business of dealing with human resources departments and government agencies. Their customers are bureaucrats. Their best innovations will be in the fields of paperwork and red tape. If we want their innovations to be health care innovations, their customers need to be their patients.
- All roads lead up
- Whatever happened to programming? It became more interesting.
- 13 more pages with the topic technology policy, and other related pages
I probably won't be able to dig up the article, but there are some services that let you define the question and the answer. The article was having fun with making customer service reps say funny things: "And now for security can you answer this question: What the fuck?"
Back in the day I actually provided accurate answers to these questions, and now you have me wondering if there are any still out there I should go clean up. So, thanks for the reminder.
Also a good reminder that I need to get better about encrypting all my emails.
Other Jerry at 1:37 p.m. April 29th, 2012
XZXfM
I think I link that article on the Insecurity Questions post. Was it Bruce Schneier?
And yeah, if we’re going to use personal information as passwords, we probably need better security on our email and social networking. (I’m not holding my breath…)
Jerry Stratton in San Diego at 2:50 p.m. April 29th, 2012
+g/Ql