Twitterank and Password Sharing

ZDNet is running a story about how "promiscuous" (excellent adjective!) Twitter users can be; original story here, and Twitterank creator Ryo Chijiiwa's followup here.

This would have been a slightly better story if Ryo was a security researcher who was trying to make a point about password sharing, but no, that was just a side effect of his viral web service (according to him, over two thousand opt-ins in under five hours).

The fact is, Ryo is not the first to ask for your password. Facebook and LinkedIn have been doing it for a while, mainly to rifle through your webmail contacts list, and I'm sure they're not the only ones.

I've never really understood why anyone would say yes to this, or even why it's acceptable to ask. Kids these days with their loose passwords and their Internet promiscuity.

Palin E-Mail: It's the Paris Hilton Hack

I'm sure I'm not the first to mention this, but according to the Wired story, Sarah Palin's recent e-mail compromise was a result of the Paris Hilton Hack. How does it work?

a) Pick a famous person's data store. T-Mobile account, Yahoo mail account, whatever.
b) Perform a password reset. This will often trigger the data store's authentication mechanism to "fail stupid".
c) If the famous person played by the rules, you will be presented with a series of questions with nonsecret answers.

For Paris Hilton, it was her dog's name (Tinkerbell). For Governor Palin, it was where she met her spouse (Wasilla High).

Note to famous people: Your username is, in fact, your password as well. So keep that secret. Unless you lie on the password reset questions -- which effectively creates alternate passwords for you. You should fill out Yahoo's general security form to get your nonsecret answer changed. Note, this is a huge hassle at most places, unless it's another fail-stupid mechanism, in which case, other people may just do it for you. Shrug, use it and find out.

Personally, I usually use nonsense answers for the secret questions on my various web-based data repositories. I just live with the knowledge that if I forget my main password, I'm pretty much screwed for the follow up passwords.