"Forgot your password" links the easy way in for hackers

Wed Sep 3, 2008 11:31AM EDT

See Comments (517)

Never mind creating a password with at least eight characters, two of which are numbers, one of which is a capital letter, and one of which is a symbol like (*&^%$). The easiest way for a hacker to weasel into your account is likely the "Forgot your password?" link.

"Forgot your password?" features are older than the Internet, providing businesses and site owners a simple way to let a user reset a forgotten password, provided he can verify his credentials by asking a few personal questions that only the rightful user should know.

For years the archetypical question was, of course, the "Mother's maiden name" challenge. In recent years, additional challenges have emerged, such as asking the street you grew up on, your favorite pet, and grandparents' first names.

Is all of this stuff really secure? More than one researcher is sounding the alarm over these tools, noting that while this data may have been private a decade ago, in an era of personal blogs, online resumes, and rampant social networking services, "personal" information drawn from your past is now widely available for public consumption. According to a researcher at PARC, you can even buy black market directories of personal information "like dog's names," for about $15 per batch. It's certainly a lot easier than guessing passwords like AHFplug41*.

Think this doesn't happen? There aren't any statistics available, but these hacks are widely suspected in myriad cases where accounts have been compromised. (Even Paris Hilton is said to have fallen prey to the "what is your dog's name?" password reset hack. It doesn't help to have one of the most infamous dogs in America...) But if you need more proof, check out this "how I did it" step by step guide to hacking a password from one writer at Scientific American. In about an hour, it seems, our researcher managed to compromise one (willing) victim's life entirely through password reset links.

MSNBC has an exhaustive amount of additional information on the issue, but the takeaway is clear: If you provide information for password reset systems, don't use data (like other people's names and addresses) that can be easily discovered or guessed. Better yet, consider creating a second tier of passwords you use for questions like these, and keep them written down and locked in a safe if you must. In other words: Your mother's maiden name may really be Jones, but that you can't pretend it wasn't Mxlpxlxl!7631.

Comments on "Forgot your password" links the easy way in for hackers

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 1 Posted by rhahn2400 on Thu Sep 3, 2009 8:38PM EDT Report Abuse

    If I were to keep my back up password locked up for safe keeping, I guess I could keep my original password locked up as well. No?

  • 2 Posted by parlor50.rsm@att.net on Thu Sep 3, 2009 7:59PM EDT Report Abuse

    i think that info is very useful...thx-and i do write them down for just in case i forget and there are a lot of sneaky prediators out there so be careful and mindful too..thx..pp

  • 3 Posted by vze1v906@verizon.net on Thu Sep 3, 2009 10:38PM EDT Report Abuse

    One way around this would seem to be to pick one of the questions, then use an 'answer' that has nothing to do with the true answer. For example, chose the question, "What is my mother's maiden name?". Then for the answer put something else, "ballyhoo" for example. This way, even if a hacker finds out what your mother's maiden name is, it won't let them reset your password to hack your account.

  • 4 Posted by indianafuncouple@verizon.net on Thu Sep 3, 2009 4:23PM EDT Report Abuse

    wow #5, your a quick one. i think they pretty well covered that one in the above article. good advice in the article, and i guess reinvented down below.

  • 5 Posted by gwenmb1@sbcglobal.net on Thu Sep 3, 2009 4:14PM EDT Report Abuse

    Thank you for this information. Just last week, I had to renew security questions on one of my accounts. Now I have to figure out which one it was so that I can review and change it. Thanks again.

More Posts: First Prev 1 2 3 4 5 Next Last

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.