Security Lessons from Sarah

For the sake of argument, let's believe this account of how Sarah Palin's e-mail account was hacked:

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this [ineffective] spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

In other words, her account was (allegedly) automatically put into a "locked" mode by bad guys trying to guess her password. Yahoo's "self-service" recovery relies on "security questions" to unlock the account; the idea being that only the actual owner of the account knows how to answer them.

The problem being: one's answers sometimes aren't that difficult for others to guess, even less so if one is the kind of person with a Wikipedia entry.

So there's a lesson for ordinary people in there. If you have an account "protected" by security questions, your best guidelines for answers are:

  1. Lie. Security-wise, the worst possible answer you could give for a security question is the true one. Go another way. It's just a stupid computer. It's not going to notice, let alone rat you out.

  2. But lie in a way you'll remember. It's a total hassle if you forget the lie you told.

Your birthday? November 22, 1963.

Your high school name? Communist Martyrs High.

Your mother's maiden name? Garbo.

Don't use these, of course. Sorry, I should have mentioned guideline three:

  1. Be Original. Never use a published example for either a password or a security question's answer.

Write 'em down if necessary. Or do what I do: store them in an encrypted file. I roll my own, but Password Safe is a reputable and free alternative.

For more (indirect but very funny) advice on security questions, see Lore Sjöberg. More serious information and a host of good links can be found at Wikipedia.

Once you've dinked your security questions, feel free to run for high office. But not until then.

"But Pun Salad," you ask. "What of the moral and legal issues of this particular case?" I'm of the same mind as Protein Wisdom:

Does this mean that gone are the excuses being trotted out by the mainstream press — and those on the left side of the blogosphere — for running with this pilfered private info? “Clerical stuff” justifies this breach of privacy, and yet these are the same [people of questionable ethics] who’ve spent years screeching about data mining communication traffic patterns for terrorists with one point outside the US?

The press, and their progressive empaths, have just had lopped off yet another limb, it seems to me. And McCain should scoop that [issue of questionable ethics] up and run with it.

So, yeah. But fix the answers to your security questions too.