Palin E-Mail: It's the Paris Hilton Hack
I'm sure I'm not the first to mention this, but according to the Wired story, Sarah Palin's recent e-mail compromise was a result of the Paris Hilton Hack. How does it work?
a) Pick a famous person's data store. T-Mobile account, Yahoo mail account, whatever.
b) Perform a password reset. This will often trigger the data store's authentication mechanism to "fail stupid".
c) If the famous person played by the rules, you will be presented with a series of questions with nonsecret answers.
For Paris Hilton, it was her dog's name (Tinkerbell). For Governor Palin, it was where she met her spouse (Wasilla High).
Note to famous people: Your username is, in fact, your password as well. So keep that secret. Unless you lie on the password reset questions -- which effectively creates alternate passwords for you. You should fill out Yahoo's general security form to get your nonsecret answer changed. Note, this is a huge hassle at most places, unless it's another fail-stupid mechanism, in which case, other people may just do it for you. Shrug, use it and find out.
Personally, I usually use nonsense answers for the secret questions on my various web-based data repositories. I just live with the knowledge that if I forget my main password, I'm pretty much screwed for the follow up passwords.
a) Pick a famous person's data store. T-Mobile account, Yahoo mail account, whatever.
b) Perform a password reset. This will often trigger the data store's authentication mechanism to "fail stupid".
c) If the famous person played by the rules, you will be presented with a series of questions with nonsecret answers.
For Paris Hilton, it was her dog's name (Tinkerbell). For Governor Palin, it was where she met her spouse (Wasilla High).
Note to famous people: Your username is, in fact, your password as well. So keep that secret. Unless you lie on the password reset questions -- which effectively creates alternate passwords for you. You should fill out Yahoo's general security form to get your nonsecret answer changed. Note, this is a huge hassle at most places, unless it's another fail-stupid mechanism, in which case, other people may just do it for you. Shrug, use it and find out.
Personally, I usually use nonsense answers for the secret questions on my various web-based data repositories. I just live with the knowledge that if I forget my main password, I'm pretty much screwed for the follow up passwords.
Labels: authentication, passwords
posted by todb at 5:10 PM
3 Comments:
I found it easier to create an alter-ego who's life story have memorized. His name is viscount bartholemew snugglebottom, son of count Randall snugglebottom and duchess catherine polopolop. His youth was spent attending Wellington preparitory academy and raising his pet tiger named phil.
oh.... Crap
BAHAHAHAHAHAHA!
Post a Comment
Links to this post:
Create a Link
<< Home