Heal Your Church WebSite

Teaching, rebuking, correcting & training in righteous web design.

5 things we can learn about password recovery questions from Sarah Palin

Imagine waking up one day to this news flash: “Your pastor’s private e-mail hacked, family photos raided; cesspool blog gloats; feds investigate!”

No lie folks, when I wrote my post yesterday entitled ‘5 simple steps to stronger passwords‘ it was well before the Palin story got out – I just set the ‘Publish’ timer later in the day to catch the lunch crowd.

That said, the hack of Sarah Palin’s email account via Yahoo’s password recovery system serves as a wake-up call that screams that no matter how strong a password you use – if you have weak password recovery questions – you’re open for an attack.

So before I can offer my famous list of 5 ways to strengthen your email recovery security questions, let’s quickly look at ‘The story behind the Palin e-mail hacking‘ via my plain English account on how they hacked Sarah Palin’s Yahoo account over at blogs4God.com.

  • Last week, the Washington Post published an article about Sarah Palin’s use a private Yahoo e-mail account , allegedly for State business.
  • gov.palin@yahoo.com is published for public consumption by ThinkProgress.org and  CommonDreams.org.
  • A hacker identified as rubico10@yahoo.com spends less than an hour obtaining the personal information about Palin to successfully fill in the blanks to the following Yahoo Password Recovery questions:
    1. Birthdate: via the WikiPedia (15 seconds)
    2. Zipcode: All 2 of Wasilla’s zip codes via the U.S.Postal Service online
    3. Where did you meet your spouse:  “Wasilla high” after said hacker spent about 40 some-odd minutes chasing down various Google stories on Palin’s personal life.
  • rubico  – posts the above on a bbs entitled /b/ hosted at 4chan.org.

And there you have it, a public person whose birthdate is going to be published, from a small town with only 2 zip codes, need only wait for someone read one of 1,000 accounts that she married her high-school sweet heart.

But Dean, I’m not a public figure. Should I worry? Glad you asked …

Yes, you should worry quite a bit. Put another way, using nothing more than Google’s blog search and perhaps the Internet Archive Wayback Machine:

  • find a blog post, a sermon, a Twitter tweet, or an RSS feed cache that talks about your birthday and/or place of birth;
  • use a domain search, a Facebook, StumbleUpon or MySpace page that lists your city of residence;
  • use either of the above techniques to find out:
    1. city of birth due to a reference to your childhood, favorite sports hero, church or school reference, a biographical write-up for an award, article or other citation
    2. your mother’s maiden name through a genealogical reference, or perhaps a past discussion of your wedding
    3. the name of your pet via a Flickr or Picassa gallery entry
  • any of the above through clever social networking – such as a phone call to a friend, a ‘coincidental’ meeting, a dive through the dumpster, mailing you a bogus contest entry or setting up a seemingly benign web service that collects the same information for malicious purposes.

As you can see, it’s not that hard for someone determined enough to get your data.

Okay man, I’m freakin’ out, what do I do? Glad you asked …

Here are 5 things you can do to overcome the security flaws associated with information submitted to an Internet service (or even cell phone provider) during registration and/or its associated self-service password reset services:

  1. select something that can’t be easily guessed
  2. select something that can’t be easily researched
  3. select something that won’t change over time
  4. select something that is not complicated and easily remembered
  5. select something you haven’t used elsewhere

Now in some cases, it is not possible to enter your own security question. In those cases, you can possibly enter information about someone else you can remember – like a family member, a fictional character from a favorite book, or a historical figure – just so long as you don’t mention online said family members, books, etc …

In those cases where you can select a security question, I’d recommend taking a trip to resources such as “Examples of Security Questions” where you can either copy – or better yet – derive a question that’s easy for you, and impossible for others.

Otherwise, you may find yourself splashed all over the news the same way Sarah Palin did, the hard way:

Get the picture?


  1. Pingback: In plain English - how they hacked Sarah Palin's Yahoo account | blogs4God

  2. Good analysis, Dean. Looks like wikileaks.org is back up and running, though. I suspect they may have had server issues with all the traffic they got from posting that junk.

  3. The best method I have discovered for handling password reset questions is to add information to the answer that is semi-constant. For example, instead of answering “Anytown High” to “What was the name of your high school?”, I answer “hello Anytown High” (or something similar). Other people are less likely to guess the padding you’ve added to the answer, but you will. I placed a full description on my blog, located here.