Teradome.

Scroll to Info & Navigation

➤ Who knows your security questions?

The latest email hack to hit the news was the report that Salma Hayek’s email account was compromised without any password trickery. And once again, like with Gov. Sarah Palin and her Yahoo! email account, it all had to do with these providers’ password recovery systems.

How does this happen? It happens because of a few factors:

  • It is considered poor security to allow anyone but the account holder to have access to the user’s password. Support agents only have as much access to password process as the users do, when the system is built properly. There should never be a system where an agent can say “Ok, it looks like your password is _____” because that means there exists a system that can pull up anyone’s passwords. That’s insecure from an outside-hacker point-of-view and from a disgruntled-employee point-of-view.
  • When this email service is the user’s only email account, there is no backup address to send a reset password to. Everything must happen in the browser at that moment. If I ask to reset my password, the reset password process happens right then and there.

But most importantly:

The user’s security questions, meant to be only answerable by the account holder, are weak.

In the case of Sarah Palin, the Yahoo! questions were preset options such as “what is your mother’s maiden name,” which in the case of an elected official, are all on public record. It was actually prohibited to use any public email system, mostly because her communications as a governor are part of state record and must be accountable & sufficiently secured.

Which is why the Salma Hayek situation is particularly amusing, because MobileMe does the “right” thing by allowing the user to configure their own questions. In this case, Hayek had entered “favorite character” as her question, and it didn’t take the hacker long to find that the answer to this was “frida.” Being a public figure, it doesn’t take long to flip through a number of interviews online and find an actual public statement of what her favorite role has been. Hell, it may have been on last night in a repeat of Inside the Actor’s Studio for all I know.

Lacking cases of celebrity, this is one of the examples why crimes happen more often between people that know each other than people who don’t — it’s because they have the upper hand on personal knowledge. “What town you were born in” is horribly weak when you’re living in the same city you were born in, for example. Or worse, questions of the “your first ____” variety might be more obscure, but require that you’ve owned one before, becoming an unusable selection.

This is why I love systems that let you enter your own questions because I don’t make them questions. I make them call-and-response in-jokes that stem from high school that were shared with only two or three other people who I remain in contact to this day, and make absolutely no sense to anyone else because quite frankly they didn’t make any sense when we made them up — they were just that random.

“Aaaaaaaaaaahhhhhhhh!!!!!!!!” is one of my unhackable questions. While it has roots in popular culture from our high-school days, it is both remarkably obscure and incredibly malformed from its original source to the point where it can’t be sourced. It could be a ninja scream from NBC’s The Master, or a parody of a Max Headroom Coke ad. You’ll never know.

But the point is: only three people know, and those people know they are the only ones who know. Checkmate.