"Forgot your password" links the easy way in for hackers

Wed Sep 3, 2008 11:31AM EDT

See Comments (517)

Never mind creating a password with at least eight characters, two of which are numbers, one of which is a capital letter, and one of which is a symbol like (*&^%$). The easiest way for a hacker to weasel into your account is likely the "Forgot your password?" link.

"Forgot your password?" features are older than the Internet, providing businesses and site owners a simple way to let a user reset a forgotten password, provided he can verify his credentials by asking a few personal questions that only the rightful user should know.

For years the archetypical question was, of course, the "Mother's maiden name" challenge. In recent years, additional challenges have emerged, such as asking the street you grew up on, your favorite pet, and grandparents' first names.

Is all of this stuff really secure? More than one researcher is sounding the alarm over these tools, noting that while this data may have been private a decade ago, in an era of personal blogs, online resumes, and rampant social networking services, "personal" information drawn from your past is now widely available for public consumption. According to a researcher at PARC, you can even buy black market directories of personal information "like dog's names," for about $15 per batch. It's certainly a lot easier than guessing passwords like AHFplug41*.

Think this doesn't happen? There aren't any statistics available, but these hacks are widely suspected in myriad cases where accounts have been compromised. (Even Paris Hilton is said to have fallen prey to the "what is your dog's name?" password reset hack. It doesn't help to have one of the most infamous dogs in America...) But if you need more proof, check out this "how I did it" step by step guide to hacking a password from one writer at Scientific American. In about an hour, it seems, our researcher managed to compromise one (willing) victim's life entirely through password reset links.

MSNBC has an exhaustive amount of additional information on the issue, but the takeaway is clear: If you provide information for password reset systems, don't use data (like other people's names and addresses) that can be easily discovered or guessed. Better yet, consider creating a second tier of passwords you use for questions like these, and keep them written down and locked in a safe if you must. In other words: Your mother's maiden name may really be Jones, but that you can't pretend it wasn't Mxlpxlxl!7631.

Comments on "Forgot your password" links the easy way in for hackers

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 66 Posted by cscthigpen on Thu Sep 3, 2009 3:31PM EDT Report Abuse

    (Even Paris Hilton is said to have fallen prey...) So what!!! Why use her for an example? I don't think blonds are stupid, but, Paris Hilton is the perfect example of a "dumb blond" joke. Anyway, this article was helpful and informative.

  • 67 Posted by dannyhalf on Thu Sep 3, 2009 3:35PM EDT Report Abuse

    Who says even Paris Hilton fell for this, like she's smart. Good one.

  • 68 Posted by kuntzyarn on Thu Sep 3, 2009 4:54PM EDT Report Abuse

    "EVEN Paris Hilton............." Huh? She is as thick as two planks! HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA! Haven't you noticed? She won't be able to tell which one was her dog if she was shown 3 of the same dogs, even if one was her own, she's THAT thick. There's air up there, and that's about it.

  • 69 Posted by slomk2 on Thu Sep 3, 2009 9:28PM EDT Report Abuse

    While the article is informative, stating that "Even Paris Hilton has fallen prey to this scam" insinuates that she possesses some high degree of intelligence. Paris Hilton is a disgusting slob and doesn't even know how to operate a washing machine.

  • 71 Posted by romosocal on Fri Sep 5, 2008 11:46AM EDT Report Abuse

    I don't know why this is news, people have been breaking into saved passwords for years. Trust is cheap on the internet. you should always spell password hints backwards, randomly capitalizing one or two letters. Also, a good password is a passage from a favorite book, movie, or song, like so: 2dtshghoU... (A line from Tom Sawyer by Rush). It's not a good idea to assume you can trust anybody on the internet, myself included. Nobody owes you the technology to replace practical sense... forget your brains?

  • 72 Posted by babummer on Thu Sep 3, 2009 3:01PM EDT Report Abuse

    HELP???- I don't really understand this article since so many passwords and the "Forgot my Password" link, will ultimately just send your new password to the email address you provided??? Yes, there are some places where a site gives you access immediatly upon guessing a "secret question", but don't most (90% or more) send the password to your email address? Babummer@yahoo.com

  • 74 Posted by michaelfromseattle2005a on Thu Sep 3, 2009 7:18PM EDT Report Abuse

    This has to be one of the dumbest articles I've read in a long time. It's not sufficient that the hacker know your personal information because the password will be sent only to the registered e-mail address, an address that can't be changed without entering the correct password. Anybody can write an article.

  • 75 Posted by cmgollatz on Thu Sep 3, 2009 3:27PM EDT Report Abuse

    . WAIT! WAIT! WAIT! "Even Paris Hilton is said to have fallen prey" Well la-di-da folks. Why, even Paris Hilton! Doesn't that just make you all feel a whole lot smarter now? .

  • 76 Posted by montana.wilshire on Thu Sep 3, 2009 7:25PM EDT Report Abuse

    Hackers retrieve my password to more than half a dozen email accounts no matter how many times I change my password. They delete any potential job leads, social invites, etc. I am now on welfare. It is a total nightmare and one nobody can assist with; I work off public computers. Emails are so very easy to hack, I saw a forumula on Yahoo in fact.

  • 77 Posted by apocalypse_7th on Thu Sep 3, 2009 2:57PM EDT Report Abuse

    yeah...paris hilton...as in what the hack are you talking about? duh!

  • 78 Posted by robzin12 on Thu Sep 3, 2009 8:47PM EDT Report Abuse

    Wow, even Paris Hilton has fallen for it?!?! The rest of us have no hope, then. I mean, if they outsmarted her, us dummies are screwed.

  • 79 Posted by cerynkows on Thu Sep 3, 2009 3:21PM EDT Report Abuse

    O.o a better reason to change my password once a month.

  • 80 Posted by iratecuss on Thu Sep 3, 2009 4:24PM EDT Report Abuse

    What do you mean "Even Paris Hilton fell for the scam"???? ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha!!!! That's the same as saying Chihuahua's are big dogs!!

  • 81 Posted by thenewbrad on Thu Sep 3, 2009 10:04PM EDT Report Abuse

    hahaha, what an article. the simple solution is never to answer those questions correctly. if someone said what is your pet name, don't write your pet name . write another thing you remember. something you remember very well, if you have weak memory, you can write on a note something secretive than can remind you. don't share the note and don't write on it, password or anything indicate to others what it is , just you. treat those questions as if they are set second password, third password..etc

  • 82 Posted by scallawag3 on Thu Sep 3, 2009 9:06PM EDT Report Abuse

    Stupid article. So you reset the password.. AND? It's being resent to the email address you originally registered the account with. What good does that do? Very very very few (none on the corporate world) companies have an online new password generation-type engine in their web software. Again, stupid, article. "Hackers" won't waste their time with password resets. They're looking for mass access so they can use spare webspace and assets for spam emails and websites for pennies-per-click type advertising. That's where the money is. It's the amateurs that try to hack stupid stuff like this for next to zero gain.

  • 83 Posted by a13burns on Thu Sep 3, 2009 2:42PM EDT Report Abuse

    boy did i get hacked !!!!!!!!!! i lost my online name i used since the internet started. a nigerian sent a letter to all my contacts asking for $2600.00 for a hysterectomy for his aunt!!!!!!!! i am still very upset because i have friends in europe that do not speak english very well and the man who stole my name did not realize that i am a women. i still have not contacted eveyone i know or company i worked with !!!!!!!!!! i cry every day over this.

  • 85 Posted by madcatwildcat on Thu Sep 3, 2009 7:02PM EDT Report Abuse

    This is where math is fun. pass like what you had to do in college is fun. alg/tri or cal. You got #, abc, (*&^%) this would be a mess. Just put your math homework as your pass.

More Posts: First Prev 3 4 5 6 7 Next Last

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.