"Forgot your password" links the easy way in for hackers

Wed Sep 3, 2008 11:31AM EDT

See Comments (517)

Never mind creating a password with at least eight characters, two of which are numbers, one of which is a capital letter, and one of which is a symbol like (*&^%$). The easiest way for a hacker to weasel into your account is likely the "Forgot your password?" link.

"Forgot your password?" features are older than the Internet, providing businesses and site owners a simple way to let a user reset a forgotten password, provided he can verify his credentials by asking a few personal questions that only the rightful user should know.

For years the archetypical question was, of course, the "Mother's maiden name" challenge. In recent years, additional challenges have emerged, such as asking the street you grew up on, your favorite pet, and grandparents' first names.

Is all of this stuff really secure? More than one researcher is sounding the alarm over these tools, noting that while this data may have been private a decade ago, in an era of personal blogs, online resumes, and rampant social networking services, "personal" information drawn from your past is now widely available for public consumption. According to a researcher at PARC, you can even buy black market directories of personal information "like dog's names," for about $15 per batch. It's certainly a lot easier than guessing passwords like AHFplug41*.

Think this doesn't happen? There aren't any statistics available, but these hacks are widely suspected in myriad cases where accounts have been compromised. (Even Paris Hilton is said to have fallen prey to the "what is your dog's name?" password reset hack. It doesn't help to have one of the most infamous dogs in America...) But if you need more proof, check out this "how I did it" step by step guide to hacking a password from one writer at Scientific American. In about an hour, it seems, our researcher managed to compromise one (willing) victim's life entirely through password reset links.

MSNBC has an exhaustive amount of additional information on the issue, but the takeaway is clear: If you provide information for password reset systems, don't use data (like other people's names and addresses) that can be easily discovered or guessed. Better yet, consider creating a second tier of passwords you use for questions like these, and keep them written down and locked in a safe if you must. In other words: Your mother's maiden name may really be Jones, but that you can't pretend it wasn't Mxlpxlxl!7631.

Comments on "Forgot your password" links the easy way in for hackers

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 28 Posted by ray1126@sbcglobal.net on Thu Sep 3, 2009 8:30PM EDT Report Abuse

    simple passwords like (----- you) are the best but if you want to have a harder pass word to hack you need a safe called anypassword free to people that use XP but if you want it to work with vista you well need to purchase the pro version a password of 12 (&yJtrU#654^~)is hard to crack even with a specail program it could take years.

  • 31 Posted by mrobert212002 on Thu Sep 3, 2009 7:28PM EDT Report Abuse

    Big news flash that any body can steal your personal information. In other shocking, breaking, news it has been discovered that rain is wet. Considering that Paris Hilton forgets to wear panties most days and struggles to spell her own name, she was not a good example. In the words of Senator Llotd Bentsen, "Sir I knew Mxlpxlxl!7631. Mxlpxlxl!7631 was a friend of mine. You are no Mxlpxlxl!7631."

  • 34 Posted by xfunkifier@verizon.net on Thu Sep 3, 2009 10:53PM EDT Report Abuse

    This is a really useless article. It gets half it----- s off of the word paris hilton alone.

  • 35 Posted by allenchantel@att.net on Thu Sep 3, 2009 2:51PM EDT Report Abuse

    Yes.. i wanted to know how my husbands ex bi polar, found my inforamtion.. she even found out i had facebook and just now couple days ago my yearbook. so i wnat to know how she kno wit??? she dont know my email. I hope hot.... anyone knows how to get emails like that please let me know how i can protect my email and stuff. i want here stop looking for me or try to destory my things. if she knows how to get in my computer.. please let me know how to block her off. I cancelled my space.com cause of HER. Thanks,Chantel

  • 37 Posted by psunjka on Thu Sep 3, 2009 8:20PM EDT Report Abuse

    http://profiles.yahoo.com/deborahhutchinson@verizon.net, even though I'm not a native English-speaker, I think that data is a noun that can't be counted (uncountable nouns), therefore you don't have a plural "these data". It would be a different story if C. Null said "these SETS of data" or "these TYPES of data".

  • 38 Posted by johnkermott on Thu Sep 3, 2009 4:39PM EDT Report Abuse

    I used to ignore the "forgot password" challenge/response and usually fill it with garbage. But banks now require challenge/response in addition to your password (I don't know yet how they handle a forgotten password). Recently, one site forced me to change my password by challenge/response due to a security breach (my account was not compromised). Because I had entered garbage, I had to call instead. To verify my identity, the phone rep asked me the same question!

  • 39 Posted by johnkermott on Thu Sep 3, 2009 4:39PM EDT Report Abuse

    oh - family name questions can often be compromised just by searching a genealogy website

  • 40 Posted by tradiak1980 on Thu Sep 3, 2009 10:19PM EDT Report Abuse

    I love how this article says "even Paris Hilton" like she is the standard for American intelligence. Of course Paris Hilton fell prey to this hack...

  • 41 Posted by mselizabethmcclellan on Thu Sep 3, 2009 7:29PM EDT Report Abuse

    Well of COURSE Paris Hilton fell for it. She has the intelligence of a TURNIP, and that's being generous!

  • 42 Posted by markbouchard on Thu Sep 3, 2009 7:07PM EDT Report Abuse

    "Your mother's maiden name may really be Jones, but that you can't pretend it wasn't Mxlpxlxl!7631." Who edits this stuff? This line makes no sense at all. Do the writers even read their own articles before publishing? This stuff drives me nuts.

  • 43 Posted by kevinjfontaine on Thu Sep 3, 2009 4:50PM EDT Report Abuse

    "Even Paris Hilton has fallen prey to this hacker's scheme to steal passwords." This headline insinuates that Paris Hilton has half of a brain, which she does not. Whoever wrote this is column is a momo.

  • 44 Posted by lionessyourhighness on Thu Sep 3, 2009 6:53PM EDT Report Abuse

    THANK YOU! I am changing my passwords now to something that is a little harder for hackers.

  • 45 Posted by gaither1983 on Thu Sep 3, 2009 4:05PM EDT Report Abuse

    My ex-girlfriend got me like this about 8 months ago.

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.