In recent news the Internet is talking about how a college guy hacked Sarah Palin, 2008 USA vice president candidate, personal Yahoo email account. Actually there was no technical scripting or coding involved in this hack issue. What the “hacker” did was to use Yahoo’s password recovery function by answering 3 security questions. For example, Sarah Palin set up the following three security questions to help her retrieve forgotten password (actually pre-set by Yahoo!). 1), what is her birth date; 2), what is her house zip code; 3), where did she meet with her husband; In the event of her forgetting her email password, what she needs to do is to answer these three questions and reset the password.
It was not very hard for the hacker to answer the first two questions. What he only needed to do was to Google her information by looking at WikiPedia or other websites. Last one took a little one but it finally got resolved by using Palin’s high school name combinations because everybody knows they are high school sweethearts.
OK, enough with Sarah. What about protecting ourselves, even we know we could not be hit on personal email accounts soon due to our low profile as the regular citizens. But wait, nowadays too many ID theft worries really bother us. Let us be caution as much as possible.
First tip: Do not use real answers to these password hint security questions. Well, I know the security questions are supposed to help you remember forgotten passwords. But the system just needs the matched answers, but did not say the honest answers. The system could not tell and does not care your answer to “what is your born city?” is your real birth city or a fake one. So the most important part is you should have an easy-memorized answers, the others are just be creative, and creative.
So for me, every time when some non-financial related web sites ask me the question of “what is your mother’s maiden name?”, I won’t dare to give them the real maiden name of my mother’s. Instead, I used my wife’s mother’s maiden (just as an example, do not try it in your case) name. As long as I can remember myself, it will be fine. But it will be harder for someone else (even someone know me well) to guess.
The same rules you can use for all other security questions. If you are afraid that you would forget these answers in the future (which will be against the purposes of setting up these questions), I can suggest you can start with the exchange-answer rule: you are still using the real answers, but use them to answer different questions.
For instance, your birth city is ‘New York’ and you met your wife in ‘Chicago’, how about to answer ‘New York’ in the ‘where did you meet your spouse?’ question and ect. Since most of these security questions on different web sites are similar, you can apply the same rule on all of these web sites. As long as you are consistent, you should be fine.
Second, do not use one email for all purposes. Now it is very easy to get a free email account. Why always use a single one for all businesses. The best way is to use a specific account for banking purposes, and never give it out to your friends or the public. In this way, you will not expose it easily. And it will protect you from email phishing as well. Because you know these banking statement emails in your regular email accounts are fake, and will never click links in these emails.
Wow, I did not realize these two tips already have one page post. But Internet (Email) Security can not be prevent by these tips (I wish). I think I will share more in the next posts on this topic. For now, just surf safe on the web.
0 Responses to “How to protect your online passwords, a lesson from Sarah Palin”