Subject: How to Avoid the Sarah Palin "Secret
Question" Account Trap

How to Avoid the Sarah Palin "Secret Question" Account Trap

Greetings. I've already discussed the hacking of Sarah Palin's
Yahoo e-mail account and why that hack was both dumb and wrong
( ).

But how was this attack accomplished? Reports suggest that a
youngster exploited one of the weakest aspects of account protection
at many sites, the so-called "secret question" system.

The secret question (and its corresponding "secret answer") is
supposed to be used for you to recover system access when you've
lost or forgotten your real password. Questions like: "What is your
favorite color?" or "What High School did you attend?" (that's the
one that was used in Palin's case, we're told), or "What was your
first dog's name?" and so on.

Supposedly the concept behind this approach is to come up with
something that you know well and won't forget. The problem of
course is that in many cases the answers to these questions are
trivial to guess or research, as seems to have been the case with
Palin's account hacker.

Is there a way to avoid just using random alphanumeric strings as
answers to secret questions (that's my approach of choice, by the
way) and still reduce the probability of your answers being easily

Sure. Lots of ways. Here are just a few.

You can simply answer the questions incorrectly -- that's an obvious
approach. Or you can misspell answers. One particularly useful
technique is simply to add unrelated text onto the correct answers
(ideally different at every site, but even using the same add-on
string everywhere would be better than nothing within the context of
secret questions). So for example, your first dog might be
"Manfred23Skidoo" -- your favorite color could be "blueRasputin" --
and so on.

The idea is simply to choose answers that are memorable, combined
with some additional easy to remember text that renders the main
part of the answer useless for hacking by itself, even by someone
who has researched your pets, color preferences, educational
background, and so on.

Such simple techniques can go a long way toward helping to protect
your Internet accounts without requiring any changes to the systems
themselves. Obviously these methods are not foolproof, but small
changes in the ways that we treat account information can make
significant improvements in security, with relatively little effort
on our part really being required.

Lauren Weinstein
[email protected] or [email protected]
Tel: +1 (818) 225-2800
Co-Founder, PFIR
- People For Internet Responsibility -
Co-Founder, NNSquad
- Network Neutrality Squad -
Founder, PRIVACY Forum -
Member, ACM Committee on Computers and Public Policy
Lauren's Blog:

Programming list archiving by: Enterprise Git Hosting