Hacking My AOL Account

When I read Mat Honan’s article today about the relative uselessness of passwords in protecting the security of our various online accounts, I was attracted by his assertion that it’s particularly easy to hack into an AOL account:

Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.

Although I have never been an avid AOL user, I do have an AOL Instant Messenger (AIM) account. I figured, and was correct, that for the purposes of this assertion, the accounts are one and the same. I quickly set about hacking my own account, just to see if it was as easy as Honan had described.

After navigating to AOL, I clicked the Login link and then clicked the “Forgot password” link to get to a very friendly, step-by-step process for resetting the password on an account. As Honan predicted, it offered to let me reset my password if I could supply my home town and another piece of personal information such as my birthday. But try as I might, I couldn’t get the right answers, and therefore I couldn’t break into my own account.

You see, I have had a habit for a long time of supplying bogus information when prompted for personal information. Obviously I break this habit when dealing with an institution that legitimately requires it, but I guessed that when I signed up for AIM, I had supplied false information. The nice side-effect of this appeared to be that my account was now less hackable than a typical account.

Of course Honan has had a little more practice than me with this, and when he saw my tweet he was inspired to ask if he could give it a shot. He and I are friends, and I trusted him to do nothing more than test the security of my account, so I agreed. He said it might take a day or two. A few hours later he sent me a screenshot of the AOL page where it was helpfully offering to let him enter a new password for my account.

I simply hadn’t tried diligently enough to get through the ridiculous “security” wizard. In the end it was as simple as knowing that I grew up in Santa Cruz (a value that I had evidently chosen to enter accurately), and that my email address was my last name at “red-sweater.com.” Totally, outstandingly, ridiculously poor security.

I made a video of myself “hacking” my own account, to show just how awful it is. The worst part is AOL will offer a laughably guessable hint about the alternate email address (j****t@red-sweater.com) down one security path, which can then be used to satisfy the secret question answer down another path.

As I said in the video, my best advice for anybody who has an AOL/AIM account is to change every personal detail on the account to something bogus, and to write those values down in an encrypted note somewhere for future reference if it’s needed. An idea I had is to choose as the email address something like “jalkut+fdj29f292935″@red-sweater.com. This way the confirmation email will still get to you if it’s ever needed, but the address will be much harder to guess.

Shame on you, AOL.