Let that be a lesson to you

The most significant political revelation about Sarah Palin's Yahoo! email account being "hacked" is that she used a private email for official business (not unlike some other elected officials we know...perhaps she does have the experience to be VP!). Regardless about how you feel about that, the manner in which the account was accessed should be a lesson to anyone who posts online.

The reported way it happened was that the attacker got in by activating the "I forgot my password" functionality, which forced him (or her?) to answer some personal questions. The first questions were standard: birthdate and zip code. The last was self-selected, in this case, where Sarah Palin met her husband. The attacker successfully gained access because all of this information was easily available online.

A few articles have mentioned how this is a risk for people in the public eye; however, a similar attack can be made on people who post personal information, such as on MySpace or FaceBook.

Birthday is pretty common. Sure some people suppress the year "for security purposes," but all it takes is a post about a birthday milestone (21st, 30th, etc.) and some basic math skills to work around that.

Zip codes are more rare in personal posts, but addresses can sometimes be found through other sources. Also, if you live in a small town (Wasilla, AK?) there may be a limited number of choices, or if you frequently post about the neighborhood you live in you may have already narrowed down the options.

High schools and colleges are frequently posted with alumni pride, but they are also used as security prompts (either directly or indirectly as in where Sarah Palin met her hubby: Wasilla High).

What's a social networker or blogger to do?

First, limit the blatantly personal stuff, but realize some is likely to leak out. Even if you don't post under your real name someone may post a comment with your name or an obvious variant. References to milestone birthdays equal references to birthdates. Referring to maternal grandparents by name usually means you just revealled you "Mother's Maiden Name."

Second, limit access to all but the most generic information. Sadly, this can limit some of the fun of websharing (note that this blog is fully open as of this post); however, it can help prevent your data from being easily read by anyone. But don't think that limiting to "friends" will make everything okay. All but the most disciplined friends lists have a way of getting unwieldy and including people you may have never really met. Also, there can be security incidents in which data is "accidentally" made public due to a security flaw. Or the site can be hacked. Oh, and there can be a lot of developers (for the site you use as well as plug in applications) that may have access to your data. The simple answer is if it's on the Internet assume a lot of people may be able to see it.

Third, lie in your security questions or modify the truth to make the answers unguessable. Say you were born in a city you've never been to. Answer your mother's maiden name with your parent's anniversary date. Move your hands over on the keyboard so typing the same word ends up as nonsense. Of course the risk in these cases is that YOU will forget the answer, which is why number four is important.

Fourth, be sure to list an alternate email. If you have another email on file most sites give you the option of having the password reset sent there. That will protect you if you make your security question so difficult that even you can't answer it. (Note, however, that this won't protect someone else from getting into your account using the question, so be sure it's a good one.)

Admittedly, the sort of attack and prevention described above implies a scenario in which someone has targetted your specific account. Hopefully, no one will want to do that. But when you realize the above can hold true for your online banking as well, perhaps it's better to be cautious. You never know when you might make someone angry or a "friend" wants to play a prank on you or you get tapped to be the Republican vice-presidential nominee. It happened to a "hockey mom" from Alaska; it can happen to you!