About Me

Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Monday, January 17, 2011

Forgot your password?

It seems like more and more frequently, articles about email and Facebook hijackings appear in the news.  Although the news frequently calls them "hacking", the actual method tends to be either guessing the password or abusing the "security questions" in the password reset feature.  If you're not concerned about this, you don't understand the potential consequences of losing access to your email.  George Bronk, the extortionist in this case, searched his victim's email accounts for nude pictures and videos.  He sent what he found to the victim's friends and frequently attempted to extort the victim further.  He also utilized his control over the victim's email accounts to gain control over their Facebook.  Had he been more interested in monetary gain, he could have just as easily used the password reset feature for the victim's bank accounts to clean them out financially too. 

Incidentally, this was the same method used by David Kernell to gain access to Sarah Palin's email account.

So, what can you do to prevent something like this?  The article above provides some suggestions about false password reset answers ... but that poses problems of their own.  If you provide false information for your password reset questions, you need to make certain you can remember the answers when you actually need to use them.  If the account allows you to create your own password reset questions, that might help you make answers that are memorable to you and difficult to discover.

Another suggestion is to keep your social networking (Facebook, MySpace) privacy settings under tight control, and be careful what you share on them and who you "friend".  Remember, friends can usually see more of your profile than people who aren't friends. 

A fun exercise is to try thinking like a hacker ... logout of your Facebook (so you can only see the public profile) and then see if you can find out enough information on yourself to answer your own password reset questions.  Pretend you don't know anything about yourself, can you break into your Facebook?  Your email?  Can you find out what bank you use and get into that?

Do you have any additional suggestions?  If so, please comment.  I'd love to hear them.


  1. True, often those security questions are really generic and could be discovered through a Facebook or google search. "What is your oldest siblings first name?" "Where were you born?" "Where were you married?" - these questions just don't cut it.

    But what do you do if the ONLY options for security questions are generic, easy-to-answer, ones like these?

  2. If your only options are generic questions, then life is more difficult. I'd suggest contacting the company and ask for better security questions or the ability to write your own question. In the meantime, lying is still an option if you can keep your lies straight (discussed in the article), but I think the best long-term solution is to pressure the companies for improved security.