Lost Password Questions May Allow Someone To Impersonate You

By now most people around the Internet have heard how Vice Presidential hopeful Sarah Palin's Yahoo e-mail account was compromised. Regardless of whether or not she should have been using a public and insecure service for her business/government e-mail (the subject of another story I'll write)  the fact is that how it was compromised could lead to similar compromises of almost anyone I know.

It all has to do with how some sites decide that it is really you asking to reset your password.

And oh, by the way, this also applies to those pesky questions you are asked when you fill out online surveys or applications for free magazines - you know, the ones that want to "verify" you for their auditors.

Some sites use a "secret" Question/Answer method of figuring out if you are who you say you are, even if you can't recall the password you should be using. There are two types of such sites: Those with a fixed list of questions, and those where you can propose a question.

In both cases you should ensure that the answer you give is NOT something that somebody else might know about you or guess, just as you do your password obfuscation (I hope) by using mixed UPPER/lower case and adding in non-alpha characters.

The major thing here is to not use real information, or if you do, to ensure that nobody but you can enter it correctly by slightly "encoding" it

You can do this in a couple of ways - You can add extra characters or non-obvious mis-spellings: Mother's maiden name of Smith becomes ssmmiitthh or hhttiimmss or htims or sm1th - you get the picture.

You can also answer with something completely different with or without other obfuscation:  Smith becomes Wiser or Verban or any other name.

The main thing here is to use a rule that you can remember at all times - a rule that you always use or an answer to the standard question that you always use no matter what.

Example rules (you can use these but it is likely better to make up your own)

• spell the correct answer but with double letters as in the above example
• always answer the "mother's maiden name" with the name of your first pet (or first boy/girl friend, etc.)
• always answer every question with the same nonsense word (I have one I've used for years)
• spell the standard wrong answer with double letters
• spell the correct answer completely wrong (also works when using an incorrect answer)
  • remove vowels
  • add extra vowels
  • use numbers like 1 for I or 3 for E or 5 for S

In Sarah Palin's case it appears she answered a standard question with real information, and since here life is under a microscope lately the answer was apparent to anyone who cared to try. In today's digital environment there is far more available and known about you than you may realize, so you should consider that any/all such real answers might be known to someone who may want to impersonate you.

Being really paranoid, you might consider that people like an ex spouse or next door neighbour with a grudge might know enough, even if the rest of the world doesn't.

As always, give as little information about yourself as you possibly can, and when you do give it in any but legally compelling circumstances (bank, government, etc.) be free with the obfuscation. Chances are that nobody will ever actually look at what you put in the answers.

• Article on Sarah Palin's lost e-mail