The compromise of Alaska Governor Sarah Palin’s Yahoo! e-mail account last September offers many lessons about security, including the risk of using a free commodity e-mail service for conducting official business. Likewise, be cautious about what you store in your e-mail — the hacker posted some of Palin’s e-mail messages, photos, and her address book on the Internet. However, the focus of this article stems from the technique used by the hacker (purported to be a student from the University of Tennessee) to access Palin’s e-mail.
The perpetrator was able to change Palin’s password by answering three security questions — her date of birth, home zip code, and where she met her husband — answers easily discovered through simple Google searches. Challenge-response systems like these are common security features used in self-service websites for resetting a forgotten password, like the site used by the hacker to reset Palin’s Yahoo! password and access her e-mail. Even K-State’s eID Profile system uses a challenge-response security question to facilitate self-service password resets. Continue reading “Choosing security questions/answers; lessons learned from Palin e-mail hack and password security”