It’s no secret that, when it comes to breaking passwords, the limits of human memory are the best way in. While former Beatle and human metronome Ringo Starr isn’t particularly known for his powers of recollection, it wasn’t his memory hackers needed to crack into Starr’s Twitter account, as the Daily Dot reported this week. Instead, all it took to get in was a workaround through safeguards against his manager’s forgetfulness.
Breaking a password outright can be hard, especially if the password is sufficiently long or very complicated. Many online services require some variation of the latter method; a few require versions of the former. This is good in theory: It’s a lot harder for a password cracking program to guess H3lL0 VVoRID! than it is to find Hello World!, but it’s also a lot easier for a user to forget exactly which L is a lowercase L versus an uppercase I, and which O is really a zero. To make sure people can still gain access to their information even if they forget their password, online services offer security questions as a best practice. Done properly, these let users back into their accounts without compromising their information. Done poorly, and security questions turn a little Googling into an easy way to bypass passwords.
It’s a bad idea to post personal information online, but there are certain types of information that are more discoverable than others.
This is what happened to Ringo. His Twitter account is managed by Doug Brasch, a senior director of digital marketing at Universal Music Group. To get into Starr’s Twitter, the hacker first had to get into Brasch’s email. To get into Brasch’s email, the hacker had to answer two security questions: Brasch’s birthdate, and the name of his nephew. Those are incredibly easy facts to remember: Hard to imagine someone forgetting when they were born, and only the worst of uncles could forget about their sibling’s kids.
The problem is that those answers are also super easy to find online. Facebook makes an annual ritual of birthday awareness, and many social media sites include the option to display the exact day month and year for all to see. Family relationships, too, aren’t hard to decipher. Facebook outright encourages publicly linking one’s profile to that of relatives and clarifying the family relationship. This is, according to what the hacker told Daily Dot, exactly how they got in: Get the questions, find the answers, and then get into the account itself. It is not a very technologically sophisticated hack, but one instead predicated on a fundamental flaw in online security: People will forget strong and complicated passwords, but they can remember easy answers to security questions.
Part of Brasch’s problem is that the questions he picked had super-public answers. Birthdays and family members are a lot easier to find than, say, who was their childhood hero, or where they were on 9/11. Both these examples come from user James of Geeks with Blogs in a post he wrote back in 2009 outlining better security questions after former Alaska Gov. Sarah Palin’s account was hacked in this same way. James sets out some rules for choosing good security questions:
- Easy to remember, even 5 or 10 years from now
- At least thousands of possible answers
- Not a question you would answer on Facebook, MySpace, in a “Fun Questions to Ask” survey, or in an article or interview
- Simple one or two word answer
- Never changes
Apart from the dated reference to MySpace, those rules feel just as pressing today. And given how much of the old Internet is still floating around, something answered on a forgotten MySpace page may still provide a way into an account by the same person somewhere else online today.
As Ringo Starr sang in “Mindfield” off of his 1998 Vertical Man album:
Everything you do or say comes with a price that you must pay
I didn’t know that yesterday
It’s a bad idea to post personal information online, but there are certain types of information that are more discoverable than others. Adopting better security questions, ones that can’t be answered easily with a little bit of online digging, is a basic way to protect our online information from the inevitable weaknesses of human memory.
Kelsey D. Atherton is a Washington, D.C.-based technology journalist. His work appears regularly in Popular Science, and has appeared in Popular Mechanics and War Is Boring. Follow him on Twitter @AthertonKD.
Photo via Eva Rinaldi/Wikipedia (CC BY SA 2.0) | Remix by Fernando Alfonso III