An employee’s personal social media page may offer prospective hackers a backdoor into company protected information. Many companies are moving towards lengthy and complex passwords, which has placed additional strain on password recovery procedures.

Many of these “forgot password” security procedures ask for pseudo personal information such as a user’s high school mascot or mother’s maiden name.

Social media, however, can make this type of information readily available to the nefarious and arguably low-tech hacker. In the case where Governor Sarah Palin’s e-mail account was hacked, the indictment claimed that the hacker required just 45 minutes to locate the information needed to answer the security questions. Read “Tenn. student indicted for hacking Palin’s e-mail,” ComputerWorld, Oct. 8, 2008.

Companies with websites that use a set list of password recovery questions may want to consider tailoring the questions away from information that could readily be discovered on a typical social media site.

Employees, especially those that regularly use websites with limited password recovery systems, should avoid answers that could be gleaned from social media sites. But keep in mind the NLRB requirements relating to social media. See our previous post entitled NLRB Still Scrutinizing Social Media Policies.
 To combat password pilfering, many entities are turning to the OpenID concept.

Seth Jaffe (, +1 713.651.5370) is an associate in Norton Rose Fulbright’s IP practice group.