Edited by chromatic
A recent thread on the Editors List started with surprise that our work
made it to the New York Times attached to a juicy bit of celebrity gossip,
then, as usual, morphed into a discussion of practical uses of technology.
Here's an idea for making your personal secrets more secret and less
You don't see O'Reilly Network mentioned in the New York
Times often but in an article about Paris Hilton....
Sunday NYT's This Week in Review had an article Some
Sympathy for Paris Hilton regarding the hacking of her Sidekick and
the subsequent publishing of her personal data.
At the end of the article, it mentions an article on O'Reilly Network
by Brian McWilliams, called How
Paris Got Hacked that we published recently, which chides Paris
for using her dog's name as her password.
I just took a brief look at our article. I don't know
about T-Mobile's site, but many sites present you with only a fixed list
of so-called "secret questions", and often none of the choices are any
good. For example, I was recently presented with a list like this:
- What is your dog's name?
- What is your mother's maiden name?
- In what city were you born?
I basically had to choose one of these, and I mean that I had
to choose. I couldn't choose not to have a secret question, nor
could I enter my own question. It would be no trouble at all for someone
else to dig up the answer to these questions. #2 and #3 are easy.
Finding out my dog's name (I used my previous dog, now dead) might be
more of a challenge, but, were I a celeb, I'm sure it wouldn't be too
Password management is a horrible problem for online
There is nothing that requires the password you set to
actually be an answer to that question. It's not like they're going to
say--hey he wasn't born in Brookline or 7xs3Kt can't be his mother's
How'd you know my mother's maiden name was
True enough, which is why I used my long-dead dog's name.
However, if you use a password that's not the answer to the
question, then that defeats the whole purpose of the question, because
what then do you do when you forget that
Simple. You use the same answer for all secret
- What is your favorite color? sqlrox
- What is your quest? sqlrox
- What is the relative air speed velocity of an unladened swallow?
European or African?
Hey, that's a really good idea. I like it. I think I'm
going to start doing that.
I think the real problem with T-Mobile's implementation
was that they allowed direct access to her web-based inbox to anyone
that could answer the secret question, rather than sending an email to
some other previously entered address that then triggers the user to
reset their T-Mobile password (the way most secret question systems
FWIW, I thought long and hard about whether to publish that article at all. It was
a bit of a departure from our normal ORN fare (and even involved a
conversation with legal counsel about what we could show in the
screenshot that Brian had taken from her account that morning). But it
was a home run traffic-wise.
Return to: From the Editors List
Comments on this article
1 to 2 of 2
Using "sqlrox" everywhere
Adam Trachtenberg |
1 to 2 of 2