Now that the information has started to filter in about the infamous hack on Sarah Palin’s Yahoo email account, we can take a look at what happened, and take a look at what it means for you and me. From a political perspective of course, it means we now know that Ms. Palin doesn’t pay much attention to laws governing transparency of government documents–and an email is considered a government document–but beyond that, it means that we as non-government email users should think twice before using a free public email service for business of any kind.
The hacker, who has since been identified, said in some reports that hacking the email was “easy.” According to reports it was done through a simple password reset, where the hacker simply reset the account by guessing basic questions. The security question element of password security may not be as invulnerable as we think, especially if you’re a public figure. An hour or two on Google will yield a tremendous amount of information on the victim, and would very likely provide information necessary to guess the security questions. Seriously, how hard is it to find out what high school any elected official went to? Or what their middle name is, or spouse’s name, or even dog’s name? Not that hard.
So are you or your employees using Yahoo for business? Bad idea. And it’s not just Yahoo, there’s nothing particularly more vulnerable about Yahoo than any other free email. It’s the same with Gmail and Hotmail. All have automated password reset mechanisms that can easily be hacked by those who want to take the time to do a little research and make guesses as to the answers to security questions. Besides not using free public email, another policy item for consideration is to make self-service password reset mechanisms more difficult. Users can easily do this by making the answer incorrect or counter-intuitive, or including numeric characters within the response; for example, if the security question is, “What is your dog’s name,” and your dog is Rover, specify your answer as “R1v2r.”