The hacker who claims credit for breaking into Sarah Palin's Yahoo Mail account is revealing how he did it -- and the process is far simpler than one might have imagined. Keep reading and see if your own accounts are really as secure as you think.
A message posted on a forum called "4chan," where news of the hack first surfaced, says the secret wasn't cracking Palin's password; it was changing it. A user identifying himself as "Rubico" claims all he did was select the option to reset the password on Yahoo Mail's interface. The service, he recalls, asked only for her birth date, zip code, and where she met her husband (which was her own self-chosen security question). That information can all easily be found with some basic Internet searching -- a task the hacker says took him less than an hour to complete. (Related: See Scientific American: How I Stole Someone's Identity)
The forum posting, incidentally, has been connected to an e-mail address belonging to a college student from Tennessee. Some reports speculate that student may be the son of a Democratic state representative also from Tennessee, though that information has not been confirmed. The FBI and Secret Service are actively investigating.
All right, so what can you do to keep yourself safe? The key lies in preparation: You have to take the time to secure your stuff before it becomes an issue. Some of the steps may seem obvious, but you'd be amazed how many people haven't taken them.
1) Strengthen Your Recovery Information. Now.
The security question Sarah Palin chose didn't turn out to be so secure. Most online services ask similarly innocuous recovery questions when you sign up. As this case demonstrates, it isn't hard for someone to track down that kind of basic information about you and reset your password themselves -- no matter how secure the password itself might be. "Password recovery procedures are often times weaker than the passwords themselves, which is frightening," Jeff Schmidt, an independent security consultant, points out.
So what to do? Treat the security question as a secondary password. Even if the service asks for something such as your spouse's name or the city where you were born, answer it with an unrelated term you'll remember, but no one else could figure out. Maybe that's as simple as putting your private nickname for your spouse or adding an extra letter onto the end of your birthplace. Whatever it is, develop a system -- and go fix your accounts right away.
2) Build Smart Passwords
The Palin hacker seemingly didn't figure out her password, but it's something that happens quite frequently, too. Don't use a word or birth date. Instead, generate a random (or at least semi-random) alphanumeric combination -- the longer the better, though eight characters is a safe minimum. "The biggest thing is that they aren't dictionary words," Schmidt explains.
Change your password often -- multiple times a year -- and avoid another potential pitfall by not using the same password for every single service. It's all too common, Schmidt says, for a hacker to compromise one password -- then go try that same username and password on all sorts of other services. Don't make it that easy.
3) Watch Out For WiFi
Public WiFi connections can be convenient, but they can also put you at an added risk. It's not too tough for someone to tap into users' connections and grab information as they transmit it over a non-secure connection. "Never assume that your circuit is secure," Schmidt advises, "and always depend on some other higher level mechanism like SSL to secure your communications."
As with anything, you can never protect yourself 100 percent -- but by taking the proper precautions and handling your passwords prudently, you can lower your odds of having your own inbox hacked and spread across the Internet.
