Once again a popular email service is publicly embarrassed by gaping holes in its security. In 2008, it was Yahoo which was embarrassed when Sara Palin’s personal email account was hacked. Once again, a hacker successfully answered the so-called “security” question used to authenticate a person when resetting their password. Gawker broke the story as the Mitt Romney Email Hack.
Details of the Mitt Romney Email Hack
It began when the Wall Street Journal released some emails from Romney’s days as Massachusetts Governor which listed his private email address as firstname.lastname@example.org. It’s not generally considered kosher to publish someone’s private email address in a public place like a newspapers. I’m surprised that the Wall Street Journal didn’t redact them before publishing the emails. But it’s not a violation of law as far as I know. However, according to an anonymous email received by Gawker, a hacker successfully hacked into Mitt Romney’s email. How did he do it? By correctly guessing the answer the the “security question” used to reset the account’s password.
The question the anonymous hacker guessed? “What is your favorite pet?” Given all the news stories that have been written about Mitt Romney’s dog, I’m sure it didn’t take the hacker long to figure out the dog’s name, and use it to get past the security question.
The Mitt Romney Email Hack is embarrassing. Not for Mitt Romney, but for hotmail and all the email services that follow similar practices. It’s high time we accepted the fact that “security questions” based on personal information about the owner of the account are not secure. Period. This practice needs to stop.
How Protect Yourself
More and more of our life is online. Seemingly trivial and obscure information about us is easily found online by anyone that knows how to write a simple Google search. So when you are prompted to set up a security question for use in future password reset scenarios, you should try to avoid questions that require revealing personal information. No matter how obscure it might seem at the time, it’s not secure.
If you can’t avoid setting up “security” questions, here’s a trick you can use to avoid your email account falling to the same fate as Mitt Romney’s email. Add a password to the end of any answer you have to set up for a security question. For example, suppose the security question is “What is your mother’s maiden name?” The answer might be “Smith,” which anyone with half a brain can find out by searching online court records. Instead of just setting up “Smith” as the answer, add a “password” to the end of it. For example, you might set up the answer to be “Smith1234″. So when the hacker looks up your mother’s maiden name in the county’s online birth and death records, the hacker still doesn’t have enough information to answer the security question.
Like any password, the longer and more complex it is, the better. But in this case, any extra characters added to the answer improve the security of your account.
Better Password Reset Procedures
The basic principle we need to learn from the Mitt Romney Email Hack is this:
Personal information should never be used to authenticate the person.
What can be done instead to enable someone to reset their account password? At some level, the only way to securely reset a credential is to require that the end user supply another credential.
For example, instead of setting up “security questions,” the email service could require that you supply an alternate email address and verify that you have access to it by retrieving a security code sent to it. This could be another email account you have. Who doesn’t have multiple email accounts these days? Or it could be the email address of your spouse, trusted friend, boss, etc. The Mitt Romney Email Hack could have been prevented if he could have given his wife’s email address. If he ever forgot his password, he could have a reset code sent to his wife’s email address who, presumably, would have given it to him when it came in.
In a similar vein, instead of setting up security questions the email service could ask you to set up a phone number capable of receiving text messages. If you ever need to reset your password on the account, the service could send a verification code to the phone.
The point here is there are multiple low cost alternatives to the “security question” approach to resetting passwords. The Mitt Romney Email Hack could have easily been prevented.
It’s an embarrassment that any web-based email service, or any web-based public service for that matter, is still relying on “security through obscurity.”