Lessons of the Sarah Palin e-mail hack

Sarah Palin’s Yahoo e-mail account was hacked and at least some of her e-mails were downloaded and distributed. Besides being illegal, the hacking was simply wrong, no matter what your political ideology. When screenshots of her e-mail were first being displayed, several analysts theorized that her e-mail account password was hacked or guessed.

In one of the screenshots, you could see a password reset notification message in Palin’s now-compromised inbox. That led me to believe that the attackers had guessed her three password reset questions, which is substantially easier than guessing even a short password. I was right.

Here’s the story from an article on AppScout’s Web site:

Hacking Sarah Palin: What We Can All Learn

Breaking into Sarah Palin’s webmail account was a simple hack–one that required little to no technical expertise. There is, of course, an important lesson to be learned here for the vice presidential candidate, and hopefully the rest of us can take something away from this as well.

The attack was perpetrated by 4Chan’s “random” /b/ board. The board has long been at the forefront of Internet memeology, helping popularize such favorites as lolcats, Rick-rolling, and the “Anonymous” group, which has been known to launch its share of large-scale anti-Scientology protests.

On Tuesday night, someone from the /b/ board (“/b/tards,” as they are colloquially known) broke into Sarah Palin’s Yahoo! e-mail account. They read the e-mails and posted the address and password on the board. Fellow /b/tards proceeded to wreak general havoc with the account.

The /b/tard in question used Yahoo!’s password recovery feature, and then proceeded to fill in the answers using Wikipedia. A message posted to the forum explains the process thusly:

“After the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

“The second was somewhat harder, the question was ‘where did you meet your spouse?’ did some research, and apparently she had eloped with mister palin after college, if you’ll look on some of the screenshits [sic] that I took and other fellow anon have so graciously put on photobucket you will see the google search for ‘palin eloped’ or some such in one of the tabs.

“I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on ‘Wasilla high’ I promptly changed the password to popcorn and took a cold shower…”

I’ve written about password reset features in the past. If your password reset feature is weak (and most are), then the security of your account has nothing to do with anything else besides those few questions. It doesn’t matter how good the vendor’s other security features are, it doesn’t matter how long and complex your password is, it doesn’t matter how secure their coding is and whether they use SDL programming. All that matters is how common the questions and answers are.

Because even if the answers are not available on the Internet, as they were in this case, the answers to most simple password reset questions are easier to figure out than cracking even a simple password.

For example, a common password reset question is “What was your first car?” Research the person’s age, and you’ve maybe got a few dozen (certainly less than a hundred) models to try. Another favorite question is “What is your pet’s name?” My friend Mark Burnett, author of “Perfect Passwords,” has dozens of lists of the most common answers, including pets. I was surprised to find my dog’s name, Abby, among the first names listed.

There are a lot of other legitimate political and legal issues opened up by the Sarah Palin hacking incident, but the real problem is bigger than that. We know that a large majority of politicians and CEOs use public e-mail accounts. And after this high-level incident, do you think password-reset-question hacking is going to become more or less popular now? It’s almost scary to think about.

How do you solve this problem? One way is by absolutely ignoring the password reset questions — for the most part. When they ask you for your dog’s name, say something like “Im5n$?aTuy” and put that for all your password reset answers. Essentially, you replace a common, everyday answer that’s easy to hack with something that is hard to guess. When vendors give you weak security options, hack ’em back!