"Forgot your password" links the easy way in for hackers
Wed Sep 3, 2008 11:31AM EDT
See Comments (517)
Never mind creating a password with at least eight characters, two of which are numbers, one of which is a capital letter, and one of which is a symbol like (*&^%$). The easiest way for a hacker to weasel into your account is likely the "Forgot your password?" link.
"Forgot your password?" features are older than the Internet, providing businesses and site owners a simple way to let a user reset a forgotten password, provided he can verify his credentials by asking a few personal questions that only the rightful user should know.
For years the archetypical question was, of course, the "Mother's maiden name" challenge. In recent years, additional challenges have emerged, such as asking the street you grew up on, your favorite pet, and grandparents' first names.
Is all of this stuff really secure? More than one researcher is sounding the alarm over these tools, noting that while this data may have been private a decade ago, in an era of personal blogs, online resumes, and rampant social networking services, "personal" information drawn from your past is now widely available for public consumption. According to a researcher at PARC, you can even buy black market directories of personal information "like dog's names," for about $15 per batch. It's certainly a lot easier than guessing passwords like AHFplug41*.
Think this doesn't happen? There aren't any statistics available, but these hacks are widely suspected in myriad cases where accounts have been compromised. (Even Paris Hilton is said to have fallen prey to the "what is your dog's name?" password reset hack. It doesn't help to have one of the most infamous dogs in America...) But if you need more proof, check out this "how I did it" step by step guide to hacking a password from one writer at Scientific American. In about an hour, it seems, our researcher managed to compromise one (willing) victim's life entirely through password reset links.
MSNBC has an exhaustive amount of additional information on the issue, but the takeaway is clear: If you provide information for password reset systems, don't use data (like other people's names and addresses) that can be easily discovered or guessed. Better yet, consider creating a second tier of passwords you use for questions like these, and keep them written down and locked in a safe if you must. In other words: Your mother's maiden name may really be Jones, but that you can't pretend it wasn't Mxlpxlxl!7631.
Top 5 Posts
More About Miscellaneous
Comments on "Forgot your password" links the easy way in for hackers
Post a Comment
Join in the discussion. Here you'll see the comments in the order they were posted.
-
47 Posted by pcnigro on Thu Sep 3, 2009 8:04PM EDT Report Abuse
Even Paris Hilton? is she a Mensa member and I didn't know?
-
48 Posted by johnnyarmstrong99 on Thu Sep 3, 2009 4:39PM EDT Report Abuse
I would love to play ouch ouch your on my hair with Paris
-
49 Posted by broguido on Thu Sep 3, 2009 3:13PM EDT Report Abuse
gimme a break........."even Paris Hilton"......like she is some sort of rocket scientist.........lol
-
50 Posted by eqhakes on Thu Sep 3, 2009 3:55PM EDT Report Abuse
"Even" Paris Hilton? Yes, she is the genius I compare myself to.
-
51 Posted by donnellobrien on Thu Sep 3, 2009 3:46PM EDT Report Abuse
What is meant by the phrase, "even Paris Hilton?" Since when did she become the embodiment of savvy and wisdom? Frankly, she is exactly the type of person who could fall for these kinds of scams. If you would have said something like, "even Steve Jobs," or "even Melinda Gates," or "even Guy Kawasaki," while highly unlikely, would have been somewhere in the ball park.
-
52 Posted by mattf94 on Thu Sep 3, 2009 7:11PM EDT Report Abuse
This is very good advice but even now a days where people file share etc. it is also easy to get keyloggers on your pc as well which tracks all key strokes so can be just as bad. Just keep running anti-virus and spyware scans regularly.
-
53 Posted by eric.cartman@rocketmail.com on Thu Sep 3, 2009 3:55PM EDT Report Abuse
Wow, even Paris Hilton has fallen for it?!? What else is Paris Hilton doing?? What does she think about the people who set the train on fire in Argentina?? Tell us more about Paris Hilton!!
-
54 Posted by amberldillard on Thu Sep 3, 2009 2:52PM EDT Report Abuse
I like the tip about using fake information or another password for the challenge questions.
-
55 Posted by rncewnd on Thu Sep 3, 2009 8:44PM EDT Report Abuse
You say even Paris Hilton fell for it like she is some kind genius, I would expect her to fall for what ever kinda of scam she runs into. She seems extraordinarily stupid.
-
56 Posted by fdalpete on Thu Sep 3, 2009 3:59PM EDT Report Abuse
Pretty stupid headline "even Paris Hiltion...". Who the heck wrote that? If there were anyone that would fall for something, it would be her.
-
57 Posted by lifeinaraindrop on Thu Sep 3, 2009 6:50PM EDT Report Abuse
What do they mean "even Paris Hilton"? People worship these idiots as though there is any difference as one human versus another. The only significance is that she's rich. Ridiculous.
-
58 Posted by peterosunde on Thu Sep 3, 2009 8:07PM EDT Report Abuse
Paris Hilton is not sharp!!!
-
59 Posted by jpeaboogs on Thu Sep 3, 2009 4:42PM EDT Report Abuse
I think the laws need to be changed and harsher punishments for the offenders. All these online scams, ads, parasites, viruses and hackers is ridiculous. I can't smoke marijuana in my own house but some pimple faced dweeb can screw up my entire network and steal passwords and he gets fined. Whoop dee doo. The laws need to be looked over and changed.
-
60 Posted by orangejuicyheart on Thu Sep 3, 2009 7:46PM EDT Report Abuse
but when you answer those questions they usually send you a link to reset the password to your email. so the hacker would have to get into your email first wouldn't they? allenchantel you can set myspace and facebook so that only the people you add to your friends list can see your profile. she could have just went on the site site and typed in your name to find your profile. you can also set it so that people can't see your email address and I'd suggest not using your last name when signing up for things like that.
-
61 Posted by sformoso on Thu Sep 3, 2009 9:14PM EDT Report Abuse
Christopher Null writes too much. I could have done without the first two paragraphs of this article. I completely lost interest.
-
62 Posted by diary_ikim on Thu Sep 3, 2009 3:42PM EDT Report Abuse
This thing makes sense, how about Yahoo! site? Is it secure with the word FORGOT ID? People should have more good memory then.
-
63 Posted by trustblue127 on Thu Sep 3, 2009 10:23PM EDT Report Abuse
Hey #14, that's the same street that I grew up on!
-
64 Posted by ahillman42000 on Thu Sep 3, 2009 2:47PM EDT Report Abuse
"Even Paris Hilton fell victim" to this.... oh what a shock! She's only the DUMBEST human being to ever walk the planet. Using her as an example is basically saying only stupid people have this happen to them. If they wanted to use a GOOD example, something like "even Bill Gates has fallen victim to this scam." Paris Hilton is meaningless - she's the average moronic american.
-
65 Posted by jan.abitibi on Thu Sep 3, 2009 4:28PM EDT Report Abuse
"Even Paris Hilton..." Sorry bub, but I don't think many people figure Paris Hilton to be the paramount of brilliance. But do appreciate the rest of the article.
Sponsored Links
My Tech
Please enable your browser's cookies to activate the My Tech column.
Also on Yahoo! Tech
| Computers | Home Office | Wi-Fi & Networking | Phones & PDAs | Cameras & Camcorders | TV & Home Theater | Portable Audio |
|---|---|---|---|---|---|---|
46 Posted by hcs565 on Thu Sep 3, 2009 4:17PM EDT Report Abuse
this article is wrong. They dont ask you the secret question and then let you in, they send your password to your registered email address. If someone does not have access to your email, they cannot get your passwords.