login      my ps      about      contact  



home instructor-led on-demand! screencasts blogs


Security Briefs » Sarah Palin and Security Questions

Sarah Palin and Security Questions

Security Briefs

Pluralsight Blogs

Syndication

Recent Posts

Tags

View more

Keith's books

Misc

Recent Articles

Archives

I've always looked at security questions used to automate user password recovery with quite a bit of skepticism. What's the point of requiring strong passwords if you allow anyone to reset the password on an account by answering a (potentially inane) question? And just how many good security questions are there, and how many web sites will ask similar questions, allowing the owner of one web site to reset a user's password at another site that uses the same question? I'm pretty sure that the typical user will tend to select the same security question if it's available at multiple sites. In many web sites I've seen, the security question is clearly the weak link in the chain.

Apparently a fellow recently was indicted on charges of hacking into the Republican vice presidential nominee's Yahoo email account, by simply doing some research on the Internet to find her birthday, zip code, and the answer to her security question, "Where did you meet your spouse?" All told the attack reportedly took under an hour to complete.

Given the level of interest in Palin and other public figures, and the large amount of information about them available to the public, it makes sense that they will be some of the easiest targets for attacks like this.

Posted Oct 09 2008, 01:09 AM by keith-brown
Filed under: , ,

Comments

CGomez wrote re: Sarah Palin and Security Questions
on 10-20-2008 7:12 AM

There is such a thing as unethical hacking that should be prosecuted, but it bothers me that something as simple as a google search can get you indicted.  There has to be some balance between the strength of the "lock" and the crime to "break and enter".

But there isn't.  I guess there isn't in the real world either.  If you leave your door unlocked and someone enters it's still breaking and entering.

And yeah security questions need to go away.  I think we all end up making them "strong passwords" that are even more random.  Imagine my surprise when a firm used them to validate me on the phone.  I was a little taken aback because, not only had I never owned a dog, I certainly didn't remember the jibberish I used to fill in the "security question".

In a classic case of social engineering, the customer service agent on the phone said, "Umm your security answer seems messed up, I think there's a problem with the system.  Can I have your 'social'?"  (...and the unfortunate reality that the SSN is our national ID number in the States)

JD Trussell wrote re: Sarah Palin and Security Questions
on 10-26-2008 7:12 AM

I was confused as an adolescent that the social security card said "not for identification"... when did that change?  Those that predicted the general use of the SSN as a national ID were ridiculed at the time, as being against SS.

As a victem of identity theft I would like to thank congress for facilitating the crime.

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation