Wednesday, February 23, 2005

You too can be hacked when the answer to your secret question is the name of your famous, book-writing dog

How secret is your "secret question" when you are famous for being famous and your life is an open book. It is looking more and more like Paris Hilton's Sidekick II was hacked into thanks to really, really bad password protection. Or, as MacDevCenter points out, a really obvious "secret question" to make it really easy for users who have fogotten their passwords.

"Like many online service providers, T-Mobile.com requires users to answer a 'secret question' if they forget their passwords. For Hilton's account, the secret question was 'What is your favorite pet's name?' By correctly providing the answer, any internet user could change Hilton's password and freely access her account. "

Apparently her dog, Tinkerbell, is almost as famous as her. He is an author (The Tinkerbell Hilton Diaries: My Life Tailing Paris Hilton), a fashion accessory and a dog-about-town. Anybody with more interest in inane celebrities than I would have been able to get her secret question and log into the T-Mobile system.

For a good review of the inherent weakness of these systems, see Schneier on Security: The Curse of the Secret Question.

No comments: