This wired.com blog article explains how a 18 year old hacker who’s been hacking for 3 years now was able to hack into a twitter admin account (using a pw guessing tool/dictionary hack) and then use and admin PW reset feature to give away passwords for 33 accounts including the accounts of President Elect Barack Obama, Britney Spears, and Fox News. This incident goes to show that: Account login features without attempt limits can easily be hacked using dictionary attacks. Also you would imagine that accounts with admin rights that are so critical would be guarded by enforcing pw policies which are alphanumeric, semi random, and are long.

My colleague Eric commented on the incident of Governer Palin’s Yahoo account getting hacked using Security Questions on password resets. So not only is one layer of security (limited login attempts), but also a second layer (pw reset questions) sometimes not enough. Proper policies and procedures must be in place. One measure which could have helped this situation is having an automated e-mail kicked out when a pw was successfully reset or even when it was attempted.

Related articles by Zemanta

• A Lesson in Password Security
• Update: Twitter blames celebrity hack on ‘individual’
• Password guessing attack exposed in Twitter pwn