September 19, 2008

How to Avoid the Sarah Palin "Secret Question" Account Trap

Greetings. I've already discussed the hacking of Sarah Palin's Yahoo e-mail account and why that hack was both dumb and wrong.

But how was this attack accomplished? Reports suggest that a youngster exploited one of the weakest aspects of account protection at many sites, the so-called "secret question" system.

The secret question (and its corresponding "secret answer") is supposed to be used for you to recover system access when you've lost or forgotten your real password. Questions like: "What is your favorite color?" or "What High School did you attend?" (that's the one that was used in Palin's case, we're told), or "What was your first dog's name?" and so on.

Supposedly the concept behind this approach is to come up with something that you know well and won't forget. The problem of course is that in many cases the answers to these questions are trivial to guess or research, as seems to have been the case with Palin's account hacker.

Is there a way to avoid just using random alphanumeric strings as answers to secret questions (that's my approach of choice, by the way) and still reduce the probability of your answers being easily hacked?

Sure. Lots of ways. Here are just a few.

You can simply answer the questions incorrectly -- that's an obvious approach. Or you can misspell answers. One particularly useful technique is simply to add unrelated text onto the correct answers (ideally different at every site, but even using the same add-on string everywhere would be better than nothing within the context of secret questions). So for example, your first dog might be Manfred23Skidoo. Your favorite color could be blueRasputin. And so on.

The idea is simply to choose answers that are memorable, combined with some additional easy to remember text that renders the main part of the answer useless for hacking by itself, even by someone who has researched your pets, color preferences, educational background, and so on.

Such simple techniques can go a long way toward helping to protect your Internet accounts without requiring any changes to the systems themselves. Obviously these methods are not foolproof, but small changes in the ways that we treat account information can make significant improvements in security, with relatively little effort on our part really being required.


Posted by Lauren at September 19, 2008 04:29 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein