Friday, December 09, 2011

Why Can't Blogger Just Tell Me The Email Address, When I Ask For It?

We see the pain, in Blogger Help Forum: Something Is Broken, of blog owners who do not understand the need for keeping the name of their Blogger account a secret.
I forgot the email address that I was using. Why can't Blogger just tell me the address??
and some ask
How did this unknown person "xxxxx xxxxx" get control of my blog?
Years ago, the local police would have to convince home owners
Please, stop leaving a spare key under a rock, near the door!
Both many blog owners (today) - like some home owners (years ago) - had the same basic problem - naivete.

Like the home owners of years ago, who kept a spare key under a rock near the front door, for emergencies, blog owners will use tricks to remember their password. One favourite technique, for remembering the password, is so obvious.
Pick a password based upon something that you can remember.
For a blog owner who is married, the answer is obvious.
What is my spouse's name?
and there's your password. If you forget that, you have worse problems, that cannot be addressed here.

If the name of one's spouse was a secret, using the name would not be a problem. But knowing that many blogs either contain the name (and picture, even) of the whole family - or lead to a Profile page with similar information - how secret is the spouse's name going to be?

Knowing both the Blogger account name (email address) that owns any blog of interest, and the URL of the blog, any hacker has a simple enough task.
  1. Scrape blog content, into a text analyzer.
  2. Extract a few hundred details (spouse's name, and others) from the blog content, as analysed.
  3. Run the known details through a password generation program.
  4. Now, the hacker has a database, containing "10,000 good possible passwords", specifically relevant to this blog.
  5. Go to "www.blogger.com", plug in the account name, and try out the 10,000 passwords, one by one.
  6. That's a simple brute force password attack.
  7. Sit back, and watch any botnet, controlled by the hacker, go to work.
  8. Given enough time, the hacker very likely gets access to the Blogger account, and to the blogs owned by the account.
  9. Note that steps 1 - 8, for any experienced hacker, will be summed into one step.
    Plug in the URL of the blog.
    Everything else is just more programming.
Besides using a "strong" password (which carries it's own risks such as forgetting the password - and now we're here, again), the best way to prevent a brute force attack is by preventing step 5.
Keep the account name / email address a secret.

If you need to recover access to your Blogger account, don't expect to use the Blogger "Forgot?" wizard, plug in your blog URL, and get a reply
Email was sent to your address xxxxxxx@yyyyy.zzz
And, if you post in the forum.
Please email me advice, to "xxxxxxx@yyyyy.zzz"!
expect to get a stern warning
Please, do not post Blogger account names, or email addresses, in the forum.

People objecting to the recent Blogger policy of masking email addresses, in Blogger commenting and similar services, as "no-reply @ blogger . com", may also need to consider this very real issue. Possibly, even use Google+, instead of Blogger commenting, for networking with ones peers.

And, if your Blogger / GMail / Google account is disabled - and you get a mysterious notice about
Suspicious / Unusual activity on your account
this could well be the other side of a brute force attack against your account, intercepted by Google.

Don't be offended by the unpopular "24 to 48 hour" waiting period, which you endure after getting the account enabled - or by the diagnosis of "hacking detected" against your account (aka "suspicious" / "unusual" activity). If you find the locked account / deleted blogs to be a problem, consider using Google 2-step verification, to protect your account against brute force hacking.

None of this is fiction or paranoia - it's based on some very real, recent events - and causes some very real conundrums.

You will get no sympathy, when you post into Blogger Help Forum: Something Is Broken, and complain how unsupportive Blogger is. You have to make some effort, and remember some basic information, if you are going to maintain a Blogger blog.

>> Top

3 comments:

homebiss said...

Chuck,

Thanks for the tips. Appreciate it. :)

Bian said...

Thanks for the tips. :)

raincrow said...

Great explanation! I will be more careful next time.