May 13, 2009

Yahoo Refining Their Password Recovery Process To Optimize Security…

Due to incidents such as the hacking of Sara Palin’s email last year and others like it, Yahoo is refining their password recovery process.  The incident last year is a perfect example of how security is compromised in the simplest of ways usually.  One doesn’t need to have access to encryption/decryption tools or proxies to intercept https packets.  To hack into Yahoo mail, at least until recently, one only needs Wikipedia and Google.  Check out the explanation from the culprit himself as to how he hacked into Sara Palin’s email using the password recovery wizard of Yahoo.  One detail left out from this explanation was the fact that he did this using a public proxy, in this case, in order to hide his IP address.
After the password recovery was re-enabled, it took seriously 45 mins on Wikipedia and Google to find the info, Birthday? 15 seconds on Wikipedia, zip code? well she had always been from Wasilla, and it only has 2 zip codes (thanks online postal service!)   The second was somewhat harder, the question was “where did you meet your spouse?” I did some research, and apparently she had eloped with Mr. Palin after college.  I found out later through more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…”

In response to this attack and others like it, yahoo is changing their password recovery process.  From now on, users will be asked to provide an alternative email address or cell phone number to which the password will be sent to rather than asking a series of questions that a culprit can research.

Perhaps another lesson from this is to never tell the truth on password recovery questions.


No comments: