"Forgot your password" links the easy way in for hackers

Wed Sep 3, 2008 11:31AM EDT

See Comments (517)

Never mind creating a password with at least eight characters, two of which are numbers, one of which is a capital letter, and one of which is a symbol like (*&^%$). The easiest way for a hacker to weasel into your account is likely the "Forgot your password?" link.

"Forgot your password?" features are older than the Internet, providing businesses and site owners a simple way to let a user reset a forgotten password, provided he can verify his credentials by asking a few personal questions that only the rightful user should know.

For years the archetypical question was, of course, the "Mother's maiden name" challenge. In recent years, additional challenges have emerged, such as asking the street you grew up on, your favorite pet, and grandparents' first names.

Is all of this stuff really secure? More than one researcher is sounding the alarm over these tools, noting that while this data may have been private a decade ago, in an era of personal blogs, online resumes, and rampant social networking services, "personal" information drawn from your past is now widely available for public consumption. According to a researcher at PARC, you can even buy black market directories of personal information "like dog's names," for about $15 per batch. It's certainly a lot easier than guessing passwords like AHFplug41*.

Think this doesn't happen? There aren't any statistics available, but these hacks are widely suspected in myriad cases where accounts have been compromised. (Even Paris Hilton is said to have fallen prey to the "what is your dog's name?" password reset hack. It doesn't help to have one of the most infamous dogs in America...) But if you need more proof, check out this "how I did it" step by step guide to hacking a password from one writer at Scientific American. In about an hour, it seems, our researcher managed to compromise one (willing) victim's life entirely through password reset links.

MSNBC has an exhaustive amount of additional information on the issue, but the takeaway is clear: If you provide information for password reset systems, don't use data (like other people's names and addresses) that can be easily discovered or guessed. Better yet, consider creating a second tier of passwords you use for questions like these, and keep them written down and locked in a safe if you must. In other words: Your mother's maiden name may really be Jones, but that you can't pretend it wasn't Mxlpxlxl!7631.

Comments on "Forgot your password" links the easy way in for hackers

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 6 Posted by madhosingh@sbcglobal.net on Thu Sep 3, 2009 7:02PM EDT Report Abuse

    omg thaxs ........................................................................................................................................................

  • 8 Posted by heytomb@sbcglobal.net on Thu Sep 3, 2009 4:18PM EDT Report Abuse

    I think the best way is to write / print your passwords on a sheet of paper, keep it in binder, file folder etc. And I like the idea of nonsensical answers like ballyhoo. Also create passwords that are if not unbreakable, really hard. Here's a link to a random password generator. https://www.grc.com/passwords.htm Check out the rest of www.grc.com , oodles of information and advice on computer security. Lots of tools for testing your system. If you want to Google it first, it's called Gibson Research Corporation. Excellent site.

  • 9 Posted by godsavedixie@sbcglobal.net on Thu Sep 3, 2009 4:10PM EDT Report Abuse

    ohh whatever... like someone in China is going to go into complete surveillance on someone to even come close to answering these questions that won't get them anywhere anyway. I could drop my computer off at a hackers front door and it wouln't get them anywhere... Holy crap, what is Paris Hiltons dogs name??? duh... thats complete public knowledge... My password question is,what is the president of the United States name? NOT.

  • 10 Posted by sawyerthegreat@sbcglobal.net on Thu Sep 3, 2009 9:06PM EDT Report Abuse

    I was just thinking what number 5 here was thinking. Just put a bogus answer. 'What is the name of the street you grew up on? Big hairy monkey chest lane.'

  • 11 Posted by sawyerthegreat@sbcglobal.net on Thu Sep 3, 2009 9:06PM EDT Report Abuse

    I was just thinking what number 5 here was thinking. Just put a bogus answer. 'What is the name of the street you grew up on? Big hairy monkey chest lane.'

  • 12 Posted by mfmunson@sbcglobal.net on Thu Sep 3, 2009 7:17PM EDT Report Abuse

    I just use goofy passwords such as the number of my life insurance policy. Who would even think I have life insurance?? Most are just nonsense numbers & letters. Of course I had to make a list since I can't remember them.

  • 13 Posted by cesparza84@att.net on Thu Sep 3, 2009 3:21PM EDT Report Abuse

    oh no i'm soooo worryed! my computer 16 years old! if they hacked my computer, no comics! DX

  • 14 Posted by deadjuggalo1908 on Thu Sep 3, 2009 3:39PM EDT Report Abuse

    I thank whoever posted this article. One thing that i want to know is how is the internet going to improve security so noone can do things like this? If there is a chance that i could get my account hacked then why have all of these profiles like Myspace or facebook. i would like to know so i dont start deleting these accounts. thnx ppl.

  • 16 Posted by benoden@pacbell.net on Thu Sep 3, 2009 3:05PM EDT Report Abuse

    or just dont forget your passwords. maybz write em down in a secure place. also, dont be a n00b is good general advice

  • 17 Posted by jra111951@att.net on Thu Sep 3, 2009 4:42PM EDT Report Abuse

    I must be ahead of my time because I've never used real information in those "security questions." I do as the article has suggested...make stuff up.

  • 19 Posted by packerfaniam@sbcglobal.net on Thu Sep 3, 2009 7:48PM EDT Report Abuse

    Ha ha ha... what if you said your cousin's name is 19282#*2198? I doubt Paris would have any trouble remembering that... not.

  • 22 Posted by sherry8034@sbcglobal.net on Thu Sep 3, 2009 9:19PM EDT Report Abuse

    I doubt anyone would know any of this information about me. I don't give such information in blogs, I don't do online resumes',I don't use pet's names and my mother's maiden name is one no one would guess. I also have nothing anyone would want. The more private you are the less likely this will happen. I can see people getting this information on famous people or people who have personal information on sites like My Space and such. I don't think my life compares with Paris Hilton in reference to this story. (By the way, she can have all her money; I have had a better life being poor than she has being rich.)

  • 24 Posted by steven.francisco@sbcglobal.net on Thu Sep 3, 2009 9:43PM EDT Report Abuse

    I always lie on the security questions. It works fine as long as I remember the lies. For example, if the question is " Where were your born?" I may use the name of my high school, or my mother's home town.

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.