September 19, 2008, 12:15 PM — Wednesday, it was reported that VP candidate Sarah Palin's Yahoo account was hacked by a perpetrator wishing to find incriminating information in her emails. It was not done using some strange computer security vulnerability. It was not done by guessing her password. It was done just in the same way as Paris Hilton's T-Mobile account was hacked some time ago: by guessing the answers to security questions. For Paris Hilton, it was the name of her dog. For Sarah Palin, it was her zip code, date of birth, and where she met her husband.
How hard is it to learn somebody's zip code? Not that hard. Try the whitepages. Date of birth? Easy for a public figure - try Google. This will take you less than a minute each. Now, we know that Sarah Palin and her husband were high school sweethearts. The answer to this question turned out to be "Wasilla High School". All in all, it took the Sarah Palin hacker less than 45 minutes to break into the account.
Whose fault was this?
Was it the fault of this unknown political hacktivist? In large part, yes. After all, it is a crime to try to break into somebody else's account.
Was it Sarah Palin's fault? Maybe she shares some of the blame. It wasn't too bright to pick these questions. One might hope for a little more caution from somebody who might one day be president. But average people shouldn't be expected to be security specialists to avoid being hacked.
Was it Yahoo's fault? Certainly they also share the blame. Their security questions were not very well chosen. But that doesn't make them unique: A recent Scientific American article describes how a Gmail account was hacked in a similar way.
How can email hacks be prevented?
Should we lie when asked security questions? Not a good idea. You need to remember the answer to the question. After all, you have supposedly already forgotten your password!
Should we write our own security questions? No, most people don't know what would be secure -- as demonstrated by Palin and Hilton, but scores of others,
too.
What is called for is better design of the questions by security professionals -- a subject I've covered in a recent Google Tech talk on Password Reset and this blog post: What is worse than reusing passwords?
