February 20, 2018

How Yahoo could have protected Palin's email

Last week I criticized Yahoo for their insecure password recovery mechanism that allowed an intruder to take control of Sarah Palin’s email account. Several readers asked me the obvious follow-up question: What should Yahoo have done instead?

Before we discuss alternatives, let’s take a minute to appreciate the delicate balance involved in designing a password recovery mechanism for a free, mass-market web service. On the one hand, users lose their passwords all the time; they generally refuse to take precautions in advance against a lost password; and they won’t accept being locked out of their own accounts because of a lost password. On the other hand, password recovery is an obvious vector for attack — and one exploited at large scale, every day, by spammers and other troublemakers.

Password recovery is especially challenging for email accounts. A common approach to password recovery is to email a new password (or a unique recovery URL) to the user, which works nicely if the user has a stable email address outside the service — but there’s no point in sending email to a user who has lost the password to his only email account.

Still, Yahoo could be doing more to protect their users’ passwords. They could allow users to make up their own security questions, rather than offering only a fixed set of questions. They could warn users that security questions are a security risk and that users with stable external email addresses might be better off disabling the security-question functionality and relying instead on email for password recovery.

Yahoo could also have followed Gmail’s lead, and disabled the security-question mechanism unless no logged-in user had accessed the account for five days. This clever trick prevents password “recovery” when there is evidence that somebody who knows the password is actively using the account. If the legitimate user loses the password and doesn’t have an alternative email account, he has to wait five days before recovering the password, but this seems like a small price to pay for the extra security.

Finally, Yahoo would have been wise, at least from a public-relations standpoint, to give extra protection to high-profile accounts like Palin’s. The existence of these accounts, and even the email addresses, had already been published online. And the account signup at Yahoo asks for a name and postal code so Yahoo could have recognized that this suddenly-important public figure had an account on their system. (It seems unlikely that Palin gave a false name or postal code in signing up for the account.) Given the public allegations that Palin had used her Yahoo email accounts for state business, these accounts would have been obvious targets for freelance “investigators”.

Some commenters on my previous post argued that all of this is Palin’s fault for using a Yahoo mail account for Alaska state business. As I understand it, the breached account included some state business emails along with some private email. I’ll agree that it was unwise for Palin to put official state email into a Yahoo account, for security reasons alone, not to mention the state rules or laws against doing so. But this doesn’t justify the break-in, and I think anyone would agree that it doesn’t justify publishing non-incriminating private emails taken from the account.

Indeed, the feeding frenzy to grab and publish private material from the account, after the intruder had published the password, is perhaps the ugliest aspect of the whole incident. I don’t know how many people participated — and I’m glad that at least one Good Samaritan tried to re-lock the account — but I hope the republishers get at least a scary visit from the FBI. It looks like the FBI is closing in on the initial intruder. I assume he is facing a bigger punishment.

Comments

  1. John Millington says:

    “Finally, Yahoo would have been wise, at least from a public-relations standpoint, to give extra protection to high-profile accounts like Palin’s.”

    I’m really surprised to see a suggestion like that. In addition to dealing with the all the usual daily issues, service providers now need to watch the news for the purpose of tracking who has become a hot topic, check these people against their own list of users, and then .. um .. do something special about it?

    This just blows my mind. It’s monday morning, and you’re having a meeting. “Ok, Johnson, which of our existing users become famous last week? And have any existing celebrities recently joined us?”

    I guess a new employee at Yahoo will have you to thank for their job. 😉

    It gets worse. Hypothetically, suppose Palin’s team loses in November. At some point, she’s dropped from the hot list, and the “extra protection” goes away, I guess. I can just picture some aging scientologist actor who is a target because of something he said, getting cracked n years after his last movie when Yahoo’s [in]fame-o-meter hits a minimum threshold. “What happened to my ‘extra protection’, Yahoo?! How dare you say I’m no longer relevant!? I’m calling my publicist and my lawyer!”

  2. I agree with the above, having two levels of security seems a little suspicious. Moreover,
    what is to stop me from saying I am Ed Felten and I deserve “more secure” email. THey definitely need a system which is secure for all users.

  3. Yeah, the extra protection idea sounds like it’ll open up a legal minefield, liability-wise. Besides, if they can do extra protection for a handful of celebrities, I’d say that if anyone got hacked that wasn’t a member of this elite society, they could very legitimately say that Yahoo doesn’t do as much for their average customer as they do for celebrities, which could turn into very bad PR. Any solution has to be “all or nothing”… or the people that want extra protection should pay for it somehow, no matter who they are.

  4. Pathetic to guess who’s famous and who needs more protection.

    Can they just not use these free email services when they are public figures?

  5. It shouldn’t be up to Yahoo to determine who gets the extra protection, but the users.

    If you trade off some convenience for extra security, only those who feel they need more protection will use it. For instance, what if the user could have any number of security questions?

    Yahoo can also charge for the extra security, I suppose.

  6. Carlos Gomez says:

    To be sure, trying to identify accounts for extra security is fraught with problems. But the main point that Yahoo could have done better in its choice of implementation for forgotten password validation stands as a debatable point.

    There are other choices that could have been better such as the already suggested allowing the user to enter their own question. Ultimately, Yahoo needs to balance ease of use against security. I’m not altogether sure that the choices they’ve made have been wrong. People are lazy and tend to take the path of least resistance. Providing a list of questions to choose from is easier than thinking one up. And I would suspect that for many web users, the question they choose would be one of the standard ones that already exist in dropdowns.

  7. A number of posters make reference to free email accounts. It should be noted that Yahoo, at least, also provide fee-based email, which provides some additional features such as POP3 access. Using an alternative such as this provides some security, in that messages can be deleted from the server after downloading, removing one vulnerability. I think the Yahoo alternative email should be made a requirement for password reset. This plus stronger security challenge questions would help. The 5 day wait would be unacceptable, as what typically happens is that the password is entered into email client software and operates without user intervention until an error occurs and the client asks for the account password. Of course in the ideal world users would have additional copies of the password available. I’ve found that in many cases I can just use available decryption utilities for the weak password encoding used in desktop apps to recover the password from the locked-out users desktop system.

  8. All of Palin’s State Business related Email had been subpoenaed. This Yahoo account was not divulged. In fact, Palin stated that it contained only personal Email. It seems that that statement was lacking in truthyness.

    This may have been instrumental in motivating this crack. However, I don’t think it excuses it.

  9. “They could allow users to make up their own security questions”

    That works fine, until you get users who choose “what is the password?” as their security question, and the password they can’t remember in the first place as the answer!

  10. Several commenters criticize me for suggesting that Yahoo should have given Palin’s account extra attention because of her status as a public figure.

    I’m not saying that Yahoo was required to protect Palin’s account. I’ll agree that I shouldn’t have said that — and I didn’t.

    But look at all the bad publicity Yahoo got because of the attack. They could have avoided the bad publicity, not to mention the possibility of angering a customer who happens to be very famous and powerful, just by dialing up the protection of Palin’s account(s) a bit.

  11. Ed–

    How could Yahoo selectively “dial up the protection of Palin’s account(s) a bit”? How could they know that this account actually belongs to Sarah Palin or any other celebrity? (Especially if the user is bright enough to select an account name that doesn’t beg to be attacked.) And what’s to stop me from registering a new account as Britney Spears? Could I thereby create a protected account for myself?

    Given the kind of use that Palin seems to have made of this account (i.e. an attempt at under the radar political communications), it is unlikely that she would have approached Yahoo and said, “This is my account. Please protect it better”.

  12. Michael Donnelly says:

    I haven’t seen anyone comment on their competitors providing better security. It’s a bit surprising, honestly, that the reports haven’t contained notes along the lines of “to contrast, GMail uses blah-blah-blah security”.

    This was a problem solely between Palin and her handlers. Either they didn’t do the proper exhaustive audit of checking everything for security, or she concealed that email address from them. The mistake is somewhere in there.

    • Arno Nymous says:


      This was a problem solely between Palin and her handlers. Either they didn’t do the proper exhaustive audit of checking everything for security, or she concealed that email address from them. The mistake is somewhere in there.

      I would expect they just don’t have a clue of how hackable this stuff is, and just went with some service they had heard of without consulting any capable tech person.

  13. Seems like a really bad idea to me. If someone wants a more than usually secure-ish email solution, they don’t go to a free account provider. And it’s not only a question of recognizing which accounts (might) belong to people who are or will become famous, it’s a question of what to do then. Do you require a phone call to reset a password? What extra proofs of identity do you require so that you can actually verify that you’re talking to the famous person or their personal assistant’s assistant, or someone authorized to access the account? Do you pre-emptively recognize such people and contact them to set up protocols in advance? Seems to me that it would make much more sense to just provide better security (as outlined) to everybody rather than waste the assets of a free-to-the-customer service on trying to protect something that may or may not need extra protection.

    Yahoo would of course also have found itself in a rather interesting legal position, because giving extra protection to Palin’s account would have also put them in the position of knowing that her lawyers were violating the terms of a court order, and effectively abetting that violation.

  14. There’s nothing wrong with fixed questions. Just make up an answer that you can remember – a parent’s name as noneofyourbusiness or where is home as onthemoon.

    The six guesses they gave you for your friend’s account was really stupid.

  15. “Yahoo would have been wise, at least from a public-relations standpoint, to give extra protection to high-profile accounts like Palin’s.”

    My far from perfect understanding of “common carrier” laws is that any sort of active involvement from the service provider (such as boosting security on selected accounts) will defeat their common carrier status and become a legal guarantee. In other words, it is the worst thing Yahoo could do from a liability perspective. I’d be curious if someone could get a genuine legal opinion on this situation.

    “I’ll agree that it was unwise for Palin to put official state email into a Yahoo account, for security reasons alone, not to mention the state rules or laws against doing so. But this doesn’t justify the break-in, and I think anyone would agree that it doesn’t justify publishing non-incriminating private emails taken from the account.”

    Two wrongs don’t make a right. I think that if Yahoo had discovered Palin’s email the only legally safe thing they could do would be disable the account completely, and notify the authorities (exactly which authorities, I’m not sure). Then again, the Republican party has well and truly demonstrated that they use whatever tactics are effective, and they regard gentlemanly sporting conduct to be laughable (attacking John Kerry’s military service was one example amongst many)
    so by Republican rules, no wrong has been done here.

  16. Anonymous says:

    Perhaps asking users if they wanted a phone call required to reset password would help…

  17. Personally I never need security questions so I fill them with long total gibberish.
    So there should obviously be an option not to use security questions at all. A BIG red warning that using security questions compromises security should do.
    There are tons of ways to make sure not to lose a password and using a weak answer is not the solution. Keepas is.
    Also there are a few problems with phone numbers where the most comfortable solution would be to send an SMS. 1. Change of number 2. Not having a number

  18. Yahoo does actually support making up your own security question.

  19. Anonymous says:

    “Finally, Yahoo would have been wise, at least from a public-relations standpoint, to give extra protection to high-profile accounts like Palin’s. ”

    Since when are businesses such as Yahoo required to check the creation of every account, make their own determination of whether that account needs “extra protection”, and implement it?

    Sometimes you read these articles and they just make NO sense. Obviously some author who has some grudge against Yahoo who, for my part, has provided YEARS of excellent service.

  20. Anonymous says:

    Ohh!! Man,
    I can’t believe this author. Even people like this are allowed to write.
    It totally looks like some idiot from pre-masonian age is writing this article.

  21. Anonymous says:

    Maybe the author can present his ACM award-winning machine-learning algorithm for determining who is a celebrity and who is not. Maybe, when creating a free id, the user should be asked to enter his/her SSN and that can be used to determine whether or not the person is a celebrity.
    Ed! wake up!! it is no longer stone age.

  22. Anonymous says:

    Ed – I cant believe you compounded your ridiculous suggestion with a comment. You still don’t get it.

  23. Steve Edwards says:

    I liked the idea of the “5 day time-out” but can see how this could be inconvenient. And secondly, I liked the idea of having various level of security accounts but agree, this would be impossible to police. Or would it…?

    Then it hit me – quite simply, why not offer the user a choice of security?

    This would, surely, be simple enough to introduce. Move the onus from Yahoo, MSN or whoever onto the user and make us take some responsibility. Worried about security but want a Yahoo account? Have a “lock out” paid-for option. “Lose your password? We’ll charge you $30 and send a replacement to your nominated attorney by secure courier. You can’t reset online. Sure, it’s slow and inconvenient, but it’s pretty secure”. Maybe even offer the opportunity to pair your Yahoo account with a multi-factor authentication system (Verisign’s VIP program anyone? RSA?). Let’s face it, multi-factor authentication would reduce this type of attack’s success to virtually nil – but that’s for another discussion altogether.

    Before you rip apart this suggestion, I’m not suggesting they actually adopt a “mail to your lawyer” approach or insist on using a key-fob; simply that differing levels of security may be appropriate depending upon our appetite for risk. Let me decide if I want “easy and insecure”, or “slow but strong”. Perhaps allowing you to choose your own security question is already a step in this direction?

    Of course, there’s a chance we’ll automatically pick “default” and take what we’re given but, at least this way, our Scientologist-come-actor chap or chapess can decide for himself how important he or she is and, provided we’re given sensible, accessible and easy to understand guidance on what to choose, we’d only have ourselves to blame in the case of a breach on a low-security account.

  24. Ed – great post.

    I HATE security questions, so I don’t think that is the answer. This is similar to how credit card companies added that 3-digit security code to the back of credit cards. The result is the black market now distributes the 3-digit code along with the credit card numbers. I have told so many organizations the name of my first pet and mother’s maiden name, it is crazy to assume that is secret. Lying about these seems like a dumb solution.

    Also, consider how http, imap and pop3 access are offered over cleartext (non-SSL) connections. (Gmail supports both SSL and non-SSL imap.) This is nuts in this day where every browser and email client supports SSL. It is tempting to simply blame dumb people for choosing insecure options, but that is bad thinking. Web surfing is drop dead simple and expecting all these people to be interested in arcane SSL settings is crazy. For my own situation I’d like my firewall to prevent accidental non-SSL access.

    E*Trade offers the only system I trust – https (SSL) access only – and a keychain device with a 6-digit number that changes every 60 seconds that you must enter along with your password. I wish E*Trade required the use of this keychain so my argument would be more powerful, but it is an option.

    It is shocking that leading privacy organizations such as EFF are more interested in the 1st amendment right to *distribute* Palin’s mail (and her unauthorized use of Yahoo for government business) than Yahoo’s obligation to help keep it private.

    It is shocking how immature the online security-privacy-encryption industry is.

  25. Hi GAIZ

  26. Hello