Ask the Expert

Securing services that allow end users to retrieve forgotten passwords

During the recent presidential campaign, vice presidential candidate Sarah Palin's email was hacked. Can you explain what happened from a technical perspective and how this type of tactic could affect enterprise data?

    Requires Free Membership to View

Actually, Governor Palin's Yahoo email account wasn't really "hacked" in the sense that the perpetrator did not gain unauthorized access to any of Yahoo's servers. What the intruder allegedly did was exploit Yahoo's password-recovery mechanism to make an unauthorized change to Gov. Palin's email password.

Yahoo uses a common password-recovery mechanism for those who forgot their passwords: a series of personal questions to determine the user's identity. In the Sarah Palin case, the three questions were:

  • What is your ZIP code?
  • What is your birthday?
  • Where did you meet your spouse?

Unfortunately for Palin, as a public figure, this information is readily available. Her birthdate is in the first line of her Wikipedia entry. That same entry reveals that she currently lives in Wasilla, Alaska. A quick search of the United States Postal Service website reveals that there is only one ZIP code for street addresses in Wasilla.

The third question is a little trickier and required some guesswork. Her Wikipedia entry notes that her husband Todd is her "childhood sweetheart." It also adds that she attended Wasilla High School. Combine those two facts with a little inference, and you get the answer to the final question: she met her spouse at Wasilla High School.

So what does this mean for the enterprise? If you're running any type of service that allows end-users to retrieve forgotten passwords, now is a good time to look at the security of that service. Are you asking easily guessed (or researched) personal questions? If so, rethink your approach. At the very least, choose stronger, more obscure questions, such as "What was your favorite sandwich as a child?" or "Where did you purchase/adopt your first pet?" Alternatively, if you're willing to make an investment in this area, you might consider using a third-party identity-verification service that asks the user questions based upon pulling his or her credit report.

More information:

  • Get more information on email security basics.
  • Survey: Sophos has seen an increase in malicious email attachments.
  • This was first published in January 2009

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: