Protecting Against Password Reset Attacks

As I previously blogged today, the hacker who broke into Sarah Palin’s Yahoo account was convicted on two charges. The way that David Kernall gained access to Palin’s email account was by trying to log into  her account, saying “I forgot my password” and then he correctly answered the password reset questions. Some of the questions had answer’s that were public information and others were easily guessed.

When you have to choose a password reset question, always use the wrong answer. There is typically only one correct answer to the questions and often times the answer is known by others. There are an infinite number of wrong answers so it is extremely difficult for an attacker to correctly answer the rest questions if you use the wrong answer.

Now, here’s the tricky part… How do YOU remember the wrong answers? You can write them down. You can use tricks such as a theme. For example, if you like Star Wars, then perhaps your first car was the Millennium Falcon. You first pet was a wookie. For me, I use the comment field in Password Corral.

The password reset attack is a fairly easy attack, but fortunately the defense is also quite easy too!

Randy Abrams
Director of Technical Education
 

Author ESET Research, ESET

2 Responses to “Protecting Against Password Reset Attacks”

  1. Ricky Watkins says:

    Mr. Abrams,
         The "Hacker" took screen shots of the questions and stored them onto the harddrive.  Once he found out the FBI was onto him, he deleted them in order to avoid being caught with them.  Forsenic imaging of his laptop's hard drive brought this evidence to light for use in his case.  Hopefully in the future, account access will be limited to password along with biometeric information.  Thumb print scanners will provide another way to keep others out of private accounts.

  2. Reset Password says:

    I've never thought to do this, I always just use the actual answer. I would think if you were a celebrity of public figure, it would make the most sense because ANYONE can find out your personal information. I might start doing this anyway for important sites.

Leave a Reply

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
30 Apr 2010
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.