So it happened again. Another email account broken into. This time it wasn’t the glitterati – read Paris Hilton – that got stung. Nor was it an office staffer such as what Kenneth Kwak did at the Department of Education a couple years ago – see http://news.cnet.com/2100-7350_3-6071928.html. But instead it was a Vice-Presidential candidate’s email account. Governor Sarah Palin ruefully used an external email service to send emails out of her gov.palin@yahoo.com account.

What she exposed was her own personal and family information as well as emails related to the Alaskan governor’s work. When you use a public email service such as yahoo.com you run the risk of public exposure. A hacker can employ password recovery techniques to gain access to private email.

In the case of Sarah Palin, that is exactly what has happened. Or at least that is what happened according to a post on a 4chan.org message board by someone claiming to be the person responsible for breaking into Sarah Palin’s email account.

This person’s account of how he broke into Sarah Palin’s account can be found at http://michellemalkin.com/2008/09/17/the-story-behind-the-palin-e-mail-hacking/

I will warn you that there is profanity on that posting. The hacker used information found on Wikipedia and Google to discover Sarah Palin’s birthday and zip code. The hacker used this information to pass through the first level of security – the username/password level. The second level consisted of a security question about where Sarah Palin met her spouse. The hacker did some research and made an educated guess and voila he was in as Sarah Palin.

The hacker then read all the email in the inbox and then changed the password. He later posted on the 4chan.org message board of his accomplishment, But before he logged off he posted Sarah Palin’s password. Other people on the board used the new password to log into Sarah Palin’s email account. This onslaught of logins rightly triggered a safety mechanism on Yahoo and “froze” the account.

This latest hacking episode highlights a couple points about how to correctly prevent unauthorized access to email.

First off is the use of passwords that can’t be guessed. Many email accounts require a password that is a combination of letters and numbers. Some passwords must be several characters in length. Some go further and require passwords to also include at least one or two capital letters.

For the second level of security one or two security questions are also introduced. These can be as simple as Sarah Palin’s “Where did you meet your spouse?” Knowing the history of someone or, as in this case, being able to Google the history of someone’s past makes it easy to make an educated guess about the answer to such second level security questions.

The other point to make here is that everyone needs to be diligent in their own choice of passwords: some obvious as to be guessable by anyone with internet access and some not so obvious.