How Sarah Palin's Email Got Hacked

Sarah Palin might be the first Vice Presidential candidate to get her online email account hacked, but she's not the first person to have this problem and certainly isn't the first to get hacked using information readily available on Google and Wikipedia. Palin's experience goes to show you how relatively easy it is for someone to brute force and social reverse engineer the information needed to crack a password or security question. In this case, the purported hacker actually told us how he/she (it was an individual, btw) did it using Google and Wikipedia. Here's an excerpt from the hacker's own words, thanks to a blog post by Michelle Malkin.

it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was "where did you meet your spouse?" did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for "palin eloped" or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on "Wasilla high" I promptly changed the password to popcorn and took a cold shower...

Now what do you think of those pointless security questions, like "What is your city of birth?" and "What high school did you graduate from?" They are really pretty pointless unless its a question very few people are going to know and can't be determined online somewhere.

You might not be a VP candidate but do you have a social networking site account somewhere, say facebook or myspace? That and some Google searching could easily turn over some helpful hacking personal information. Historical information about your life probably isn't a good source for a password security question either. And of course, you'd be best to start with a really hard to crack password that changes regularly. Something with a good strong mix of alpha, numeric's and special characters, is at least 10-12 characters long and isn't some guessable word, zip code or other identifiable string.

Like this? Here are some of Mitchell's recent posts.

Check out Mitchell's companion Converging On Microsoft Podcast. And Follow Mitchell on .

Mitchell's Product Reviews:

Mitchell's Book Recommendations: Also visit Mitchell's other blogs and podcasts:

Visit Microsoft Subnet for more news, blogs, opinion from around the Web. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022