Somone used the "forgot password" feature on Yahoo! Mail to change the account password to "popcorn." He or she did this by correctly answering some security questions about Palin, including her personally selected privacy question/answer about where she met her husband, according to the AP report.
My Commentary:
This story is interesting because of the privacy violation, Palin's efforts to get around her own state's Open Records Act, the revelation of how the crime was committed (if the claim is genuine), and because the owner of the anonymity service the "hacker" was using says he's willing to cooperate with law enforcement officials, because the "hacker" violated the service's terms of use. This cooperation may have a very helpful chilling effect on the illicit use of these services around the Internet.
The techniques Yahoo! uses to verify identity before changing a Yahoo! Mail password are pretty common on the Web. Some e-mail providers will merely send a new, randomly generated, password to a secondary e-mail address that the user provided upon registering for the account. Of course, this only works if the person kept, and can access, that older e-mail account. Yahoo! apparently decided to opt for more ease-of-use and greater chance of the user being able to regain access to their Yahoo account. Unfortunately, that trade-off also lowers security.
One other way to increase security is by imposing ever-increasing time delays between subsequent attempts to retrieve a password or change it. If the culprit in this case tried numerous times, the delay would eventually become too long for him or her to endure. Another twist on this approach is to only allow three attempts per day, or something along those lines.
Users must accept some, if not most, of the responsibility for these breaches, if they choose question/answer combinations that are easy to guess or easy to discover.
No comments:
Post a Comment