Palin's Email: Publicity Yahoo Doesn't Need

By now, everyone knows that Governor Sarah Palin uses Yahoo for her e-mail, thanks to the anonymous group (named “Anonymous”) that broke into her e-mail account and shared it with the world. While Federal agents are investigating the invasion of privacy, and pundits filter the revelations through their pre-existing opinions (either for or against), to me it was remarkable how banal the revelations were.

But from a business standpoint, what seemed important was the reaction by security experts that of course no enterprise should use free webmail services for official business. As someone who used to plan security policies for his (small) firm’s IT infrastructure, my initial reaction was that this was just snobbery on the behalf of these “experts” to sell their expertise. (And, of course, the obligatory slew of press releases by firms seeking to capitalize on the revelation).

Since remotely-accessible e-mail systems are only as good as their passwords, the one key issue for any service is how facistic the password security algorithm is. If the guv used “ToddTrig” as her password then anyone could have guessed it with a hacking attack — whether the mail was hosted by yahoo.com or state.ak.us. If it requires a number and a letter and rejects things that are too easy, that would be better. However — as any CS-educated user will tell you — if they require changing the password every 6 months, all that means is that people will write down their passwords (a no-no) and it would provide no security at all against this attack.

(Many organizations require a VPN for remote access to any corporate information, which used to seem like overkill but today does not. However, requiring a VPN means that people will say “use my personal e-mail account” when business associates want to contact them on vacation).

The one line of argument that did seem persuasive is the area of password recovery:

Password recovery procedures are an area where the balance between security and usability is so blurred that most times the security aspect is non-existent, despite appearances. The leading theories about how the breach to Sarah Palin's account came about were that it was through the password recovery options associated with the Yahoo webmail interface.

Even if a user has selected non-standard secret questions, or has linked other email accounts, this sort of information isn't going to take a determined hacker very long to dig up, especially if the target is already someone in the public eye.

Having recently had to reset the password for one of my online banking services, it is quite clear that some firms do a much more serious job than others at coming up with password reset systems. My bank required a series of questions — and doesn’t use the same questions all the time, so someone sitting behind my shoulder might not know what to do last time. They also show me a secret picture to discourage “man in the middle” type attacks.

I just tested the password retest mechanisms at Yahoo and Google, and (today) both seemed better than most. Both use a captcha to prevent automated attacks. Yahoo gave me my custom challenge question, one where I won’t forget the answer but it’s so obscure no one will know the answer (although they could mechanically try to guess it). After L’Affair Palin, perhaps I’ll pick a different obscure question with an even more obscure answer.

Google refused to let me reset it online, but instead forced me to use my secondary email address. If I don’t have access to it, then I have to wait:

If you don't have a secondary email address, or if you no longer have access to that account, please try the 'Forgot your password?' link again after five days. At that point, you'll be able to reset your password by answering the security question you provided when you created your account.

To prevent someone from trying to break into an account you're actively using, the security question is only used for account recovery after an account has been idle for five days. The Gmail team cannot waive the five day requirement or access your password under any circumstances.

If you're unable to answer your security question or access your secondary email account, we regret that the Gmail team cannot provide further assistance. If you're concerned about the security of your account, please visit our Security Center.

Certainly this delayed gratification approach seems like it would prevent hacking of an actively used account.

Even so, this is the sort publicity that Yahoo (and Google and Hotmail) don’t really need, particularly when large bureaucratic IT departments start to ban the use of webmail accounts. Even famous people without IT departments will (not unreasonably) think twice about using such services for their mail.

Comments

[AlexS:]

I wonder what happens if you call Yahoo and tell them you forgot the password and give them your e-mail address. Do they give you a new password over the phone and tell you they've reset it to "abc" or some such? Maybe someone just pretended to be Palin. Maybe it was an inside job and an Obama-sympathizer Yahoo-employee got access to Palin's e-mail. As Andy Devine said in one of his movies, "Remember, 90% of all serious crime is an inside job."

2008 Sep 18 02:06 PM

[JeffSmado:]

The fact that Sarah Palin was using a Yahoo! account is almost neglectable in light of the fact that Anonymous members were illegally cracking the email account and deliberately spread private and government information on the internet, on top of all endangering the safety of Palin's family. No "public interest" exists for this, and their doing was just plain illegal. Anonymous is known for illegal and harassing actions for a long time.

Article:
www.nolanchart.com/art...

Fox11 News on Anonymous:
www.youtube.com/watch?...

Anonymous response:
www.youtube.com/watch?...

Another Fox11 report:
www.youtube.com/watch?...

Anonymous documentary:
www.youtube.com/watch?...
www.anonymous-exposed....

2008 Sep 18 04:07 PM

[Diamonds:]

Yahoo's forget your password is not very secure, you just need a birthday and zip code. When I set up my email some 12 years ago with them, I don't remember them asking for an alternate email, unlike now. So I would image they will ask for an alternate email for them to send the password upon using this forget your password feature. Or it could simply be just one of the employees in Yahoo as the previous comments said...

2008 Sep 19 09:48 AM

[Mehmet Ates...:]

Diamonds, my first email account was from yahoo and it was at 1995. I am pretty sure they asked for the secondary email address which was optional. I also remember that i was trying to recover one of my friends password on yahoo couple months ago. And it gave us really hard times. It asked so many security questions which i can not really remember all. On the other hand, i am unsure about Gmail's 5 days delay is going to prevent hacking the system. It is only going to prevent the rookies and jealous boyfriends. I don't find it as a securing solution.

2008 Sep 19 10:36 AM

[Et tu, Brute!:]

Way back when dinosaurs roamed the earth and e-mail was a new frontier, no, they didn't ask for secondary email accounts.

2008 Sep 19 12:52 PM

[Et tu, Brute!:]

By the way, forcing a lock or breaking a window ito gain entry to facility is still illegal. Large or small, wrong should still be wrong. Just because you can, doesn't mean you should... or that it's okay.

With this kind of mindset society continues to weaken.

2008 Sep 19 01:15 PM

[No Name or ...:]

Two questions:
1. Have the investigators into Palin's dealings subpoena'd Yahoo for her emails?
2. Would Yahoo be able to recover them, even if she deleted them?

2008 Sep 19 03:15 PM

[How:]

Its tme they boost up the security

2008 Sep 20 12:30 PM

[Biopharm:]

I use Gmail and love it. After reading this I went to reinforce my security question and find out what I had for my secondary e-mail. Gmail users should check on the first (General) page of settings "Always use https" so their connection to Google will be encrypted at all times. That is as good as a VPN.

2008 Sep 28 02:17 PM