The problem is not passwords, although if you want to set yourself as a 'leet haX0r, remember that corporate end users have lousy passwords. Somewhere, someone has a password that's the same as their user name.
But Sarah Palin didn't have a bad password. OK, maybe she did, but that wasn't how her account got hacked. So what did she have?
A password reset capability on the mail server. You have one, too. You have it, because the nice folks who run your email system don't want to have to pay someone to sit at a telephone answering "I forgot my password" calls. Instead, they have a web page that asks you questions that they think you will know, but other folks won't:
- What was your mother's maiden name?
- What street was your first house on?
- What's your zip code?
- What's your birthday?
So stupid punk loser boy let his fingers do the walking through Al Gore's Intarwebz until he got enough information that Yahoo unlocked Palin's email account for him.
It will unlock your account for him, too.
UPDATE 19 September 2008 20:24: Good additional info at Zero Day.
And when he does the helpful folks at the FBI and the Secret Service are not going to hunt him down for me like they did for Gov. Palin.
ReplyDelete