"Forgot your password" links the easy way in for hackers

Wed Sep 3, 2008 11:31AM EDT

See Comments (517)

Never mind creating a password with at least eight characters, two of which are numbers, one of which is a capital letter, and one of which is a symbol like (*&^%$). The easiest way for a hacker to weasel into your account is likely the "Forgot your password?" link.

"Forgot your password?" features are older than the Internet, providing businesses and site owners a simple way to let a user reset a forgotten password, provided he can verify his credentials by asking a few personal questions that only the rightful user should know.

For years the archetypical question was, of course, the "Mother's maiden name" challenge. In recent years, additional challenges have emerged, such as asking the street you grew up on, your favorite pet, and grandparents' first names.

Is all of this stuff really secure? More than one researcher is sounding the alarm over these tools, noting that while this data may have been private a decade ago, in an era of personal blogs, online resumes, and rampant social networking services, "personal" information drawn from your past is now widely available for public consumption. According to a researcher at PARC, you can even buy black market directories of personal information "like dog's names," for about $15 per batch. It's certainly a lot easier than guessing passwords like AHFplug41*.

Think this doesn't happen? There aren't any statistics available, but these hacks are widely suspected in myriad cases where accounts have been compromised. (Even Paris Hilton is said to have fallen prey to the "what is your dog's name?" password reset hack. It doesn't help to have one of the most infamous dogs in America...) But if you need more proof, check out this "how I did it" step by step guide to hacking a password from one writer at Scientific American. In about an hour, it seems, our researcher managed to compromise one (willing) victim's life entirely through password reset links.

MSNBC has an exhaustive amount of additional information on the issue, but the takeaway is clear: If you provide information for password reset systems, don't use data (like other people's names and addresses) that can be easily discovered or guessed. Better yet, consider creating a second tier of passwords you use for questions like these, and keep them written down and locked in a safe if you must. In other words: Your mother's maiden name may really be Jones, but that you can't pretend it wasn't Mxlpxlxl!7631.

Comments on "Forgot your password" links the easy way in for hackers

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 506 Posted by sabattus_2000 on Thu Sep 3, 2009 8:59PM EDT Report Abuse

    I'm allowed one dumb question, especially as I'm anything but an expert in computers. How do we know, for example, that NASA launches aren't compromised? With all you hacker "geniuses" out there, why is it we hear of very few (if any) successful hacks into the NASA systems? Either NASA is awfully sloppy and gets hacked a lot, OR(!) they're relatively immune to it. If the latter is true, then why aren't more of us using their method(s) to safeguard hacking??? The same could be asked, let's say, of military operations.

  • 507 Posted by chromatiger on Thu Sep 3, 2009 3:25PM EDT Report Abuse

    If I am not really doing anything other than surfing the net, why would someone want to hack my password and get into my account? What if any danger is in this for me?

  • 508 Posted by dancingallery on Thu Sep 3, 2009 3:34PM EDT Report Abuse

    I like to use ask your own questions. By doing this you can go back to when you were a child for a question or ask a question about a friend. Change your password every few months. I guess the main thing is trying to keep hackers noses out of our business on the computer. Some people just have no life.

  • 509 Posted by rachelle3030@ymail.com on Sat Sep 6, 2008 11:47AM EDT Report Abuse

    come on people, give the poor gal a break, I know she has issues but I my self have been a victom of such and I am pretty quick witted.to all of those who get drunk,find multiple people,have embarrased them selves in public, been arrested, made mistakes and so forth and so on, those of you who are not in the public eye who do stupid things in private, who are you to bash this girl? all men were created equal and we all have isses, I stand up for this girl, no I dont agree with her lifestyle but come on,what if you were her being slammed every day of your life

  • 510 Posted by perkinsreginald on Thu Sep 3, 2009 8:07PM EDT Report Abuse

    I use Roboform! Remembers passwords etc. Anybody got some info about that????

  • 511 Posted by valeriebisram533 on Thu Sep 3, 2009 10:30PM EDT Report Abuse

    New users like myself do get puzzled with all of this IT language// I think the Federal Government should formulate, instigate pass serious penelties for Providers of the Internet Service for not being able to come up with the technology to protect every single user of this vital service. I am a single grandmother and my career requires me to use the Internet and computer ..Just like when someone commits a detrimental rime like murder.. it is one's lively hood that is tampered with, including that of an emtire family

  • 512 Posted by daniel_finn496 on Thu Sep 3, 2009 3:35PM EDT Report Abuse

    the information you gave out is a useful one but dont you think these hackers get more experienced all day, when a way is blocked they kinda open another. So even though you use a maiden name that is not correct, dont you think these hackers can hack into database of the web mail you use and get whatever you use there?? well just my thoughts. the best way is to change your password periodically, maybe once in every 2 weeks. ......Mightyman

  • 513 Posted by locomotive611 on Thu Sep 3, 2009 6:55PM EDT Report Abuse

    Now if only there was a way to get some different security question for utility companies. They always ask for the last 4 digits of one's SSN whenever one calls customer service for a problem or a repair issue.

  • 514 Posted by drey_nuesa on Thu Sep 3, 2009 3:48PM EDT Report Abuse

    just don't forget your password, that's it!!

  • 515 Posted by jamie15146 on Thu Sep 3, 2009 4:28PM EDT Report Abuse

    Ha...my mom has been married three times...good luck to any hacker that could figure out her maden name...LOL

  • 516 Posted by katmay1@verizon.net on Tue Sep 23, 2008 3:42PM EDT Report Abuse

    9/23/08 12:35pm PDT. Posted an intelligent suggestion that got lost in the innards of your strange machine. After seeing 'Paris Hilton' 45 times for some unknown reason, I realized I had wandered onto the wrong page; I'd thought the article was about secure passwords, but obviously was mistaken. Catstroke @ Oregonlive.com

  • 517 Posted by jaredmetivier on Thu Sep 3, 2009 4:28PM EDT Report Abuse

    the best thing to do is limit the information that you have on your computer.

More Posts: First Prev 25 26 27 Next Last

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.