As a curious technologist, my first question was, "How did they do it?". The article linked to above provided an explanation a day after the story broke: the attackers used Yahoo!'s password recovery system. You know the drill: when you set up an account, you have to fill in in the answers to one or two questions, like "What was the name of your favorite teacher?" or "What was your first pet's name?". Then, when you lose your password, you go to the site and fill in the answer, and then they'll unlock your account.
This password recovery method started gaining popularity a few years ago. (Before that, password recovery was almost always done by sending a new password to the email account you have on file.) Although it avoids the insecurities of email (which is usually transmitted in plain text over the internet), it has an even bigger problem: knowing the answer to password recovery questions is just as good as knowing the password itself.
As the person who hacked into Sarah Palin's account has shown the world, answering password recovery questions can be significantly easier than guessing a password. Anyone who knew me well in elementary school would probably be able to answer most password recovery questions.
Because of this inherent insecurity, I never answer password recovery questions truthfully. (If you're wondering, my first grade teacher was Ms. Pierce.) Instead, I take one of two approaches:
- If it's a throwaway account at a site I don't really care about, I do something like this: "Q: What was your first pet's name?. A: woierhjasldkfna;osighaw;ljkgnas;dflligha;sgfh." Try guessing that one!
- If it's an account that I may want to recover my password from in the future, I enter a different password as my answer to one of the questions. Ideally the site allows me to make up my own question, which is "What's the password recovery password?". If I can't make up my own question, then I just fill in another password as the answer to one of the dangerously obvious questions.