Lessons from the Palin Email Hack: How to Provide More Secure Password Recovery than Yahoo
The only really shocking things to come out of the hacking of Sarah Palin’s Yahoo-based email account are the revelations that:
- The Governor of Alaska uses the free Yahoo email service for work-related emails; and that
- Yahoo uses really bad security practices for its password recovery system.
Indeed, it’s the latter point that makes the former all the worse.
If the so-called hacker who accessed Palin’s emails is to be believed, Yahoo allowed the intruder to reset the password on Palin’s account simply by answering some security questions. And sure enough, that’s exactly how Yahoo’s password recovery system works: You answer some simple questions like “Where did you meet your spouse?” and Yahoo checks to make sure your responses match up with the answers you provided when you first created your account. In other words, these questions serve as a secondary, “backup password.”
The problem with security questions like these is that they’re all too easy for almost anyone to answer. This is especially true if you have information about your life published on the Web (as Palin found out) — or, more likely, if you publish that information yourself on blogs, social networks, profile pages, and so on.
So what should Yahoo have done instead? Or, more importantly, if you’re developing a Web site that needs a password recovery feature, what should you do?
The Better Way to Do It
The best option: Don’t allow users to change their passwords online after answering the security questions, but rather send an email containing an password change alert and instructions to the user’s alternate email address.
This is more secure because any attempt to change your password results in you receiving notice of it — via a method only you have access to.
Second best: Send the alert and instructions to the user’s cell phone via text message or voicemail.
This is handy in a case like Yahoo’s, where the company is providing email accounts to users who often don’t have existing accounts that they can list as an “alternate.” (Although, it looks like the current iteration of Yahoo Mail does ask for an alternate address upon registration.)
If you just can’t ask your users for an alternate means of notification: At the least, you could ask more personal backup questions that can’t simply be looked up online. For instance:
- In three words, what’s your biggest fear?
- In three words, what is your earliest memory?
- What’s your favorite word and least favorite word?
These don’t sound as nice as “What’s your ZIP code?” but unless you’re a no-holds-barred blogger who has published a post containing the words “my worst fear is…”, most other people truly won’t know the answers.
And even if they do know you well enough to have an inkling, they’re still not likely to phrase the answer in the same way. After all, “Big hairy spiders” is not the same as “big scary spiders.”
String a few of these questions together and you’ve got a much higher barrier in place — one that’s less likely to lead to an embarrassing break-in when your site’s users are running for the second highest office in the land.
A Footnote (Helping Users Choose More Secure Answers)
Bizarrely, Yahoo’s only public response so far to the Palin break-in has been to repost an item to the Yahoo Mail Blog about choosing secure passwords. It doesn’t address the problem, since reports so far say that Palin’s password was just fine — it was the backup security questions that were breached.
So what might Yahoo do instead (until it rolls out a more secure password recovery feature)?
Advise users to choose the most difficult backup security questions available and to pay attention to how easily others might be able to find the answers. Your “favorite sports team” is too easy to guess — the answer usually has to do with where you live, lived, or went to college. However, the “make of your first car or bike” is harder for others to know.
And finally, advise users to lie. That’s right. You don’t have to answer the backup security questions truthfully. No one’s checking up on your responses. If you must use “favorite sports team” as a question, then respond with the name of the coach of that team. Do that consistently whenever you see that question on other sites and you’ll have a good chance of thwarting most would-be intruders.
My name is Amit Asaravala. I'm an Internet technologies consultant & Web developer located in the San Francisco Bay Area. I specialize in helping organizations build great Web sites on open source technologies.
The problem with these suggestions is that the answer to the question may be forgotten. For example, if the real answer is “Big Hairy Spiders”, the remindee may type “big scary spiders”, or even “dark alleys”. The answer will at least have to be exact letter for letter, and may even be case sensitive. On rarely visited sites, like the computer cable company you shopped from two years previously, it can be hard to remember a tricky answer.
The best thing to do is to select an obscure question that clearly has only one possible answer