Dangers of the “forgot my password” link

This hasn’t been a good month for passwords…

In mid January, George Samuel Bronk plead guilty to a California court computer intrusion charges and possession of contraband images. He searched for women on Facebook, then broke into their email accounts. He didn’t guess the passwords of the email accounts, instead he reset the password for the account using the “forgot my password” link. These links usually ask for personal information such as “what was the name of your first pet?”. Using information from the victim’s Facebook pages, he was able to answer the security questions and reset the passwords for many users. 

Once he broke into the accounts, he searched the sent email folder, looking for photos that the account owner sent to others. In some cases, he found very personal photos, which he downloaded to his computer. And, as a consequence of his attack, the original email owner could not get back into their account.

  As if this was not bad enough, Bronk then threatened to release the compromising photos of the victims unless they sent him more photos to their stolen email account.

  From this attack, we have learned that if a password is too difficult to guess, attackers can try to reset it using publicly available information. Therefore, I strongly suggest that you do not use real information when answering the security questions. Consider answering the question “Mother’s maiden name” as your favorite color, not your mother’s real name. Mix it up in a way that you will remember but an attacker won’t.

Then, the website “Trapster” announced that their site experienced an “incident”. The compromised data possibly included email addresses, account password and phone numbers of customers, but the site was not very specific. Risk of exposure of credit card information from this attack is low since the site did not contain credit card information. If the compromised data included the account password, the  real risk here is that the captured Trapster passwords could be used to log into other sites, such as Facebook. Note that strong, difficult to guess password would be of no help here since the passwords were visible to a third-party.

The lessons to be learned:

  1 – Complex, hard to guess passwords can easily be defeated through the “password reset” link. To protect yourself, make sure that your answers for your account’s security questions are not well-known. For example, don’t say your favorite color is red, say it is your birth month. Don’t give your real birthday, instead change the day, month or year to your favorite number. Be creative with your answers.

  2. Don’t use a single password for all of your Internet access, because if your password is stolen from one site, it can be used for all of sites that you use. For some, maintaining a different password for each account can be too difficult. In that case, make sure that the following passwords are not shared with any other site:

  •  Your online banking password
  •  Your social networking password
  •  Your email password.

  Have I missed any accounts that should have a unique password? Let me know.