BBC News reports that an unemployed man has been arrested by French police for hacking the Twitter accounts of US President Barack Obama and celebrities.
The unemployed 25-year-old was arrested on Tuesday after an operation lasting several months, conducted by French police with agents from the FBI.
He gained access to Twitter accounts by simply working out the answers to password reminder questions on targets’ e-mail accounts, according to investigators.
This is the same method that was famously used to hack into Sarah Palin’s Yahoo! webmail account and is yet another real world example of the failure of the typical password reminder function that the study by the University of Cambridge’s Computer Laboratory showed.
As I wrote previously that until such time as the companies that use password reminder questions as a security method change the system they use I recommend that people give a nonsense answer to the question. Particularly people such as President Obama where such information is easily researched.
Security Researchers at the University of Cambridge’s Computer Laboratory have produced a whitepaper titled Evaluating statistical attacks on personal knowledge questions.
Aside from the fact that the answers to these questions are readily findable for celebrities and increasingly easy to uncover through social networking sites for the average individual the researchers found that even guessing is good enough to render the system insecure if carried out on a wide scale.
There is a strong result that anything named by humans is dangerous to use as a secret. Sociologists have known this for years. Most human names follow a power-law distribution fairly close to Zipfian, which we confirmed in our study. This means every name distribution has a few disproportionately common names—”Gonzalez” amongst Chilean surnames, “Guðrún” amongst Icelandic forenames, “Buddy” amongst pets—for attackers to latch on to. Combined with previous results on other attack methods, there should be no doubt that personal knowledge questions are no longer viable for email, which has come to play too critical a role in web security.
I think that until such time as the companies that use password reminder questions as a security method change the system they use I recommend that people give a nonsense answer to the question. If you are sure that you’d never need to use the password reminder facility then you could just use a completely unguessable random alphanumeric string as the answer. Otherwise it would be a good idea to choose something memorable as your nonsense answer that you consistently use e.g. Throatwobbler Mangrove unless inexplicably that does happen to be your mother’s maiden name.
There has been other research in the last few years into this subject.
Microsoft researchers wrote Measuring the security and reliability of authentication via ‘secret’ questions
CyberNet News have a clever solution to the age old problem of how to create and remember strong passwords that are extremely resistant to brute force attacks. [via]
Their method seems to be just for the creation of a single password, but I’ve adapted it below for use as a secure generator of unique passwords for websites.
1. Choose a master password, go for something memorable because this will form the basis of every password you’ll generate. e.g. sherlock
2. Get the URL of the website for which you wish to create a secure password. Attention: use just the domain name part to avoid confusion later! You’ll thank me for that, trust me. Valid examples are facebook.com and google.com Bad: http://www.facebook.com and https://mail.google.com/mail/.
3. Go to http://www.onlinefunctions.com/. Enter your master password and the domain name in the “Input” field. e.g. sherlockgoogle.com
4. What we’re going to do is convert this input into an md5 hash. All we need to know about the md5 algorithm is that it’s commonly used to encrypt data.
5. Hit the “Create MD5″ button.
6. Take the first eight characters from the “MD5 hash” field and use it as your new secure password.
The SuperGenPass bookmarklet automates this process if you wish to trust a third party and there is no reason not to given that the source code is available to scrutinise.