[133696] in cryptography@c2.net mail archive
Password Recovery Attack
daemon@ATHENA.MIT.EDU (Bill Frantz)
Sun Sep 21 14:53:28 2008
Date: Sat, 20 Sep 2008 14:41:35 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: Cryptography <cryptography@metzdowd.com>
One attack on services, which use personal questions as a backup
form of user verification, works well for high-profile users of
these systems. The attack is very simple. Go into the password
recovery page, and use Google to look up the answers to the
personal questions asked. There is enough Googleable data around
for high-profile people, and perhaps not so high profile people,
that the attack can be successful often enough to be useful. My
sources say Sarah Palin's email account was breached using this
attack.
Cheers - Bill
---------------------------------------------------------------------------
Bill Frantz |"We used to quip that "password" is the most common
408-356-8506 | password. Now it's 'password1.' Who said users haven't
www.periwinkle.com | learned anything about security?" -- Bruce Schneier
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
