Friday, September 19, 2008

Dangerous password recovery questions

You probably saw recently that someone hacked into Sarah Palin's personal email account and posted some screenshots of a few messages on the web. The news has stirred some noise among government accountability proponents, who argue that public officials should use only official email for official business, so that it can be properly retained and audited. Those questions are interesting, but another point piqued my interest.

As a curious technologist, my first question was, "How did they do it?". The article linked to above provided an explanation a day after the story broke: the attackers used Yahoo!'s password recovery system. You know the drill: when you set up an account, you have to fill in in the answers to one or two questions, like "What was the name of your favorite teacher?" or "What was your first pet's name?". Then, when you lose your password, you go to the site and fill in the answer, and then they'll unlock your account.

This password recovery method started gaining popularity a few years ago. (Before that, password recovery was almost always done by sending a new password to the email account you have on file.) Although it avoids the insecurities of email (which is usually transmitted in plain text over the internet), it has an even bigger problem: knowing the answer to password recovery questions is just as good as knowing the password itself.

As the person who hacked into Sarah Palin's account has shown the world, answering password recovery questions can be significantly easier than guessing a password. Anyone who knew me well in elementary school would probably be able to answer most password recovery questions.

Because of this inherent insecurity, I never answer password recovery questions truthfully. (If you're wondering, my first grade teacher was Ms. Pierce.) Instead, I take one of two approaches:
  • If it's a throwaway account at a site I don't really care about, I do something like this: "Q: What was your first pet's name?. A: woierhjasldkfna;osighaw;ljkgnas;dflligha;sgfh." Try guessing that one!
  • If it's an account that I may want to recover my password from in the future, I enter a different password as my answer to one of the questions. Ideally the site allows me to make up my own question, which is "What's the password recovery password?". If I can't make up my own question, then I just fill in another password as the answer to one of the dangerously obvious questions.
Next time you set up an account, be smarter than Sarah Palin and don't fill in obvious, easily-discovered answers. Remember that answers to password recovery questions are just as good as a password itself.

No comments: