George Bronk, of Sacramento, California, was sentenced to more than four years in prison after being convicted of computer intrusion and the cyber-stalking of 46 women across 17 states. He carried out the cyber-stalking for a total of 10 months, from December 2009 through to September 2010, when he was eventually caught. The case illustrates the vulnerability of all Internet users, said prosecuting attorney Robert Morgester of the state attorney general's office. "The victims we went to said `I had very robust passwords.'. But it didn't matter how robust the password was if the recovery question is easy." he said.
The method he used has revealed a major weakness in many password reset systems where a supposed secret question is posed to the account holder in order to recover a lost password. Such questions often include such basic choices as 'What is your favorite color?', 'Name of your high school?', 'Name of your first pet?', 'Town where you were born?'. Often, the answers to these questions can be quite easily gleaned from Facebook or other social network pages, which is exactly what Bronk did in this case.
His first step was to identify the email address of a potential victim on Facebook, and then try to determine the answer to their secret password reset question. After he changed their password and took over their email account, Bronk then searched email folders for nude or semi-nude photographs or videos they had sent to their husbands or boyfriends and then distributed them to the victims' contact list, prosecutors said.
The hacking method is similar to that of the famous Sarah Palin email hack, in which the hacker managed to reset her password simply by Googling for the answer to her secret question, which was “Where did you meet your spouse?”.
Academic research back in 2009 ran a user study to measure the reliability and security of the questions used by the four big webmail providers (AOL, Yahoo!, Microsoft and Google). They asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintances were able to guess 17% of their answers on the first attempt. The researcher's conclusion was that the security of personal questions appears significantly weaker than passwords.
Another study showed that password recovery security questions are usually answered honestly. This study asked acquaintances of 32 webmail users to guess the answer to the secret question. Roughly 20% of these answers were guessed correctly.
The conclusion then is that password recovery security questions should probably not be answered honestly. Experienced users fill them out with password like characters which makes the answers significantly harder, and even more or less impossible to guess. These answers can then be stored in password managers as notes.