With Online Passwords, Dishonesty Can Be the Best Policy

By  |  Wednesday, July 15, 2009 at 8:11 am

Twitter VaultWell, this is embarrassing: A hacker who apparently broke into various online accounts associated with Twitter executives and employees has sent TechCrunch hundreds of documents he purloined, including everything from user-growth projections to staffers’ meal preferences. TechCrunch’s Michael Arrington says he’s going to publish the stuff that has a lot of news value.

I’m not that interested in sensitive Twitter documents, so the most interesting aspect of all this is how easily the hacker was apparently able to get into Twitter’s online accounts. Actually, he doesn’t appear to have done any true hacking–he was just able to determine or reset passwords at Gmail, AT&T, MobileMe, and elsewhere.

Observers are rightly saying that the pilfering is a potentially useful reminder of the risks associated with storing sensitive information on the Internet. And most specifically, it may show that some Web services’ password-recovery features are inherently dangerous. It’s possible that some Twitter employees chose passwords or password questions that were too easy to guess, but it’s also possible that they followed the advice and instructions at the services in question to the letter, and their accounts still weren’t safe.

When someone broke into Salma Hayek’s MobileMe account in April, I wrote that using easily-obtained information like a user’s birthday or the maiden name of his or her mother to protect an account is unacceptably risky. It’s alsodangerous to provide password recovery tools that let someone reset a password in one browser session, without having to access information sent by e-mail.

Even after the crummy publicity of Salma’s security breach, MobileMe is still suggesting to users that “What is my pet’s name?” is a reasonable secret question:

MobileMe

If you know (or can guess) a MobileMe user’s account name, birthday, and the answer to his or her secret question, you’re in.

Bottom line: It pays to be paranoid online, especially since some of the companies whose serves you may use are probably way too nonchalant. If a service asks for easy-to-find information, it’s not a bad idea to simply lie like a rug. Any fool can determine that your mom was a Benson, so why not decide that for the purposes of your online security, she was a McGillicuddy–and then never tell another living soul? Even when you can specify your own “Secret Question,” specifying an answer that’s wrong isn’t a bad safety measure.

 
7 Comments


Read more: , ,

5 Comments For This Post

  1. Pascal Cuoq Says:

    My secret question, when the website allows to choose it,
    is either “So you forgot your password, you poor bastard?”
    or “What is your password?”

  2. Peter Says:

    A really good idea and something I’ve been doing for years. I have a set of lies I tell companies that require me to set password reminders.

  3. John Baxter Says:

    Unfortunately, banks like to collect mother’s maiden name. And then use it years later for online “security”. I’m not sure one can walk into one’s friendly local branch* and say “My mother is now a McGillicuddy, not a Benson.”

    *I am fortunate to have two “friendly local branch” banking relationships. Out of two.

  4. Paul Says:

    For years, I’ve been grumbling out loud (and warning some people) about the practice of using birthdays as a security question. It’s the most easily obtainable piece of personal information, and yet, websites, credit card companies, banks and other institutions use it for identification online or over the phone. Stupid.

    Here in the Philippines, the term “middle name” does not refer to one’s second given name (unlike in the US). “Middle Name” usually refers to your mother’s maiden surname. So a lot of (not so private) legal documents, such as driver’s license, display your mother’s maiden name for all to see. And yet the same institutions I mentioned above insist on using it as a security question without regard to local naming conventions. Stupid.

  5. Paul Says:

    For years, I’ve been grumbling out loud (and warning some people) about the practice of using birthdays as a security question. It’s the most easily obtainable piece of personal information. Websites, credit card companies, banks and other institutions use it for identification online or over the phone. Stupid.

    Here in the Philippines, the term “middle name” does not refer to one’s second given name (unlike in the US). “Middle Name” usually refers to your mother’s maiden surname. So a lot of (not so private) legal documents, such as driver’s license, display your mother’s maiden name for all to see. And yet the same institutions I mentioned above insist on using it as a security question without regard to local naming conventions. Stupid.

2 Trackbacks For This Post

  1. Twitter Security Breach…A Reminder About Keeping Passwords Secure « A Geek Blog Says:

    […] Here – http://technologizer.com/2009/07/15/with-online-passwords-dishonesty-can-be-the-best-policy/ […]

  2. Tr.impending Doom | Technologizer Says:

    […] what Twitter’s long-term URL-shortening strategy is–hey, are there any clues in those stolen documents?–but I hope it intends to start squeezing down its own URLs. For one thing, I have more faith […]