Lessons Learned from The Sarah Palin Email Hack

Bob Preston
CYBERSPACE — The hack of GOP vice-presidential nominee Sarah Palin's email provides a lesson to computer users everywhere: common password protection isn't that great.

The hacker claiming to be behind the email invasion posted on the Internet message board 4Chan.org explained how he retrieved Palin's password information. It sounded all too easy.

First, the hacker used the password retrieval function associated with Palin's Yahoo account and answered two security questions: The governor's birthday and her home ZIP code, both of which he said he was able to find through simple Google searches.

After that, the hacker encountered a more challenging security question: Where did the governor meet her husband?

But once again, a trip to YouTube or some other video-sharing site was all the hacker needed. Gov. Palin herself recounted during her acceptance speech at the Republican national convention that she met her husband at Wasilla, Alaska, High School.

What does this mean for the rest of us? Roger A. Grimes, a security expert who writes for InfoWorld.com, said that no amount of good programming can make up for lousy security questions.

"If your password reset feature is weak (and most are), then the security of your account has nothing to do with anything else besides those few questions," he said.

"It doesn't matter how good the vendor's other security features are, it doesn't matter how long and complex your password is, it doesn't matter how secure their coding is and whether they use SDL programming,” Grimes added. “All that matters is how common the questions and answers are.

What's the solution? One possible answer is to treat every security question like another password field.

"When they ask you for your dog's name, say something like 'Im5n$?aTuy' and put that for all your password reset answers," Grimes said.