Passwords: How MySpace, Facebook can be used against you
I guess it’s fair to say that passwords is sort of a pet topic of mine. Well, here’s a sobering look at one possible dark side of our online lives.
The piece by MSNBC’s Bob Sullivan, on The Red Tape Chronicles blog, looks at how identity thieves can use a common security feature against you. It’s the “Forgot your password” link found on just about any site where you have an account.
The problem is that the answers to so many of the common security questions are becoming increasingly easy to find in this era of social networking and online databases. Mother’s maiden name. High School mascot. Favorite pet’s name. City of birth. These aren’t all that tough.
There are no known cases in which hackers have widely exploited “forgot your password” links, but there are indications that both researchers and criminals are training their eyes in this direction. Markus Jakobsson, principal scientist at the famed Palo Alto Research Center in California, said answers to password reset questions have become so valuable that a black market has developed for personal information like dog’s names. Criminals buy buckets of personal information, obviously with an eye towards foiling security systems, for about $15 per set, he said.
Tim has covered a wide range of topics, including tourism, crime, aviation and gambling, since becoming a reporter in 1990. The Oklahoma native joined the Post-Dispatch in 2007 after spending nine years in Orlando. In his spare time, he's often exploring one virtual world or another. He can be reached at tbarker@post-dispatch.com. 
One thing you could do is substituting some characters for some letters and numbers that look somewhat like each other, such as 1 for I, 3 for E, $ for S, @ for A, 0 (zero) for O, and so on.
This is something that kids in school have been doing for years to crack each others’ email accounts. It seems to me that the attack would work best if the attacker had a decent level of knowledge of the victim. After all, crack their email account and then you can use the reset password features to gain access to almost every other online application (MySpace, Facebook, et al.) that a person has tied to that account.
Kids hack other kids email addresses by guessing passwords, not getting the password through the security questions. What is not mentioned here - and the reason why this is not “widely exploited” is because most sites e-mail you either a new password, or instructions and a link to click through to verify who you are - from the original e-mail account. The only way this could be exploited is if the person who knew the answer to your security question - also, had access to sign into the e-mail account you used to create the account in the first place. Unless you are giving out all of that info (and I mean giving it out, and unfortunately many people do), its highly unlikely you’ll get exploited this way.