How they did it

I had thought whoever hacked into Sarah Palin's e-mail account had simply guessed her password.  Most people, after all, don't have very secure passwords, or, indeed, the foggiest idea of how to create one.  In fact, it was a little more involved (hat tip: Weekly Standard)

The AP reports the hacker impersonated Palin, using the "forgot your password?" feature to gain access. He simply gave Palin's birthdate and zipcode, and then answered the secret question, "Where did you meet your spouse?" The answer, of course, was "Wasilla High." He showed up on a forum yesterday to brag about his feat under the name, "Rubico."

I have a few accouts with similar features.  Most of them e-mail the password (or reset the password and e-mail a temporary password) to your registered e-mail address.  But your e-mail service may not have that option.  Instead, a challenge-and-response system is used.  The user is asked to supply information other people won't have access to.

Unfortunately, that sort of information is very hard to find in the average life. Birthdates get recorded by social networking sites, unless users take care not to provide them.  They're probably also on any number of public documents -- if not in one place, then certainly scattered around several.  And if you know a famous person's address, you can get the zip code from Mapquest or smilar services.

Other "secret questions" are not that hard to guess.  If you're known to have grown up in a particular city, the name of the high school is usually a fairly small set of possibilities.  The make of your first car, also a fairly restricted set. (The name of your first car is a bit harder.  My ex suggested the car we were using at the time be named "Imelda" because it kept needing new brake shoes.)

A secure password is a good way of restricting access to authorized users.  You have a large target space, and a very small target to hit by random guessing.  (Even a four-digit PIN is secure, because someone standing at an ATM punching in numbers for half an hour is bound to draw attention.)  (But I'd still like the option to have a longer PIN.)

Every pathway that allows access to someone who's forgotten his password is another target to aim at, and one where, as I've mentioned, the number of false targets may not be as large as it is for a password.  And if a site is anything like some I've gotten accounts for, there may be as many as half a dozen "secret questions" that might come up.  Each one of those is an access way of unknown size.

Hopefully, you're already picking your passwords with care.  Pick your secret questions and answers with equal care.  (Maybe, any question about cars, you could decide you'll always give the correct answer about pets? But you need to be consistent enough that you'll remember it when you need it.)