I talked to several people who were somewhat disturbed about my last blog post. Surely it can’t be that easy?
The potential exists – and I think it is worthwhile to ask why. Most people have been taught to guard their passwords, but have been carefully instructed to feel no responsibility for the other ways in which an attacker could access their account. Why is it we can educate about password complexity and reuse, but don’t want to explain under what circumstances a “personal identification” answer might be used? Why is it we will force a user to change their password every three months, but the email address that would be used in case of a password recovery effort is never tested, and security questions are never refreshed or reinforced? Why is it that we as a culture have recognized the concept of a “fire drill” in the real world, and advise people to understand alternate exit routes in cases where the elevators are out of order, but in the online world, we feel that advising those users who happen to be of the more concerned persuasion to familiarize themselves with and verify the operation of the page behind their “forgot my password” links is a crazy and unthinkable thing to ask?
If you are someone who worries about being hacked, and if you are willing to take a little bit of time and energy to at least understand the risk you might be facing, my advice to you is: Go forth and recover.
Go ahead. Recover all of your accounts. You probably needed to rotate those passwords anyway. Find those “forgot password” links and click ’em. Chances are, you will be able to reset your password in an automated fashion, either by answering a pre-specified question, or by getting a link sent to an email account (sometimes, both approaches are combined). If you are asked a question, is the answer guessable? Is it searchable? Is it short? Is it a single dictionary word? Can you control the guessability of the answer, or is it a hard-coded format such as a postal code or a birthdate? If you are emailed a link, follow the chain to your email provider and recover your password there too. Is it more pre-specified questions? Are they the same questions? Were you required to click on a link sent to yet another email address? If so, follow the chain again. Rinse and repeat. This is the same trail that a hacker would follow – often they find something you’ve forgotten, something out of date, an expired account or a typo that you never would guess could end up in a compromise of your identity. Password recovery mechanisms were used to compromise Sarah Palin’s email account, and also used to steal corporate data from Twitter. If you can satisfy yourself that the password recovery loop is closed, that your answers are not guessable, that you haven’t specified incorrect, out-of-date, or non-existent email addresses, and that the services you use don’t use unsafe mechanisms, you will be safer.
Don’t believe me? Check out the techniques this guy used to compromise the identity of a mere acquaintance. He gained access to supposedly “secure” accounts whose password recovery mechanisms depended on password recovery mechanism that depended on grossly guessable data.
Should you have to do this? No. Not according to almost anyone in this business. Are you expected to do this? Of course not. How many people actually memorize an alternate exit route from every hotel room they ever stay in? Only the ultra paranoid, I am sure. Still, if you care, if you are motivated, and if you want to know what to do, perhaps this can be a starting point.