By Woody Leonhard
You can find no end of advice on creating strong passwords, using clever tricks, stats, mnemonics, and such.
But all too frequently we (and I include myself in this rebuke) tend to reuse little passwords at what we think are inconsequential sites. It’s a big mistake — here’s why.
This story is true. As the admonition goes: only the names have been changed to protect the innocent.
I live in a small town a couple of hours away from a big city we’ll call Metropolis. There are several daily newspapers in Metropolis, and one of the largest (let’s call it the Daily Planet) boasts a very nice website. The people who create and maintain the Daily Planet site are excellent designers and programmers — but they aren’t security experts.
One of Metropolis’s citizens is a regular guy named, oh, Joe. He’s pretty good with computers, and he knows enough to use strong passwords on bank and stock-market sites.
But Joe just got hacked — and bilked in a most unexpected way.
Using simple passwords for unimportant sites
The Daily Planet’s website, like most big newspaper sites, lets its readers set up accounts for a variety of services. For example, subscribers can receive e-mail notifications about important breaking-news stories. They also need an account to comment on editorials and to submit photos for the newspaper’s photo-judging contest. About 25,000 people have accounts.
Years ago, Joe signed up for a Daily Planet account, using JoeKewl as his user name and JoeSumthinErAnother@yahoo.com for his e-mail address. And because the Daily Planet site should not have posed any real security issues — no sensitive personal information was at stake — he used an easy-to-remember password he frequently employed for such occasions: 12345678.
At some point, Joe’s Daily Planet account fell into disuse; he rarely thought about it. Meanwhile, the Daily Planet’s website admins were focused on online publishing, applying their energy on search-engine optimization and site layout with a bit of SQL Server and PHP on the side. They knew about security but weren’t terribly worried about hackers. Their thinking was: Who in their right mind would want to steal sign-in data for people commenting on news stories?
A new black-hatter beats a site’s security
But there was a who — a self-styled password cracker residing in a completely different country. Someone driven to show his hacking moxie by cracking a Web server. He acquired a free version of Havij (more info), a SQL Injection hacking tool with a “user-friendly GUI and automated settings and detections, to make it easy to use for everyone, even amateur users,” according to the IT Security Research & Penetration Testing Team’s Havij 1.15 user manual. He watched the YouTube video and went through the Havij tutorial — and soon knew how to run a SQL injection attack.
The cracker didn’t really care what website he cracked; he was simply looking for a site with simple sign-up routines. Eventually, he discovered that the Daily Planet’s website fit the bill nicely. Within a couple of hours, the cracker had figured out how to access the Daily Planet’s reader database. He was able to crack only one of the four SQL tables at the site, but that netted him 5,200 user records. He got really lucky because (and this is key — no pun intended) the Daily Planet’s site stored user data in the clear — none of it was encrypted.
Then the cracker decided he was hot stuff and wanted to tell the world. So he posted 200 of the stolen records on a public website, claiming he’d post more if enough people subscribed to his Twitter feed. To publicize his accomplishment, he convinced one well-known underground tweeter to send out details about where to find the stolen data.
Using a password once too often spells ‘break-in’
This is where I came in. All of this happened in a town not far from where I live. But I caught wind of it only when I checked an underground tweeter account I monitor. By then, the cracker had posted 3,400 user names and more than 300 people had viewed the list.
And Joe’s name was at the top of the list.
One of these 300 visitors soon signed onto a local financial site, using Joe’s stolen e-mail address and password. (I won’t mention the site by name, but it’s an institution in Metropolis.) The password didn’t work, so the bad guy clicked the Forgotten Password link. As expected, the financial institution’s automatic password-recovery routine offered to e-mail a new password to Joe’s Yahoo account.
Next, the bad guy signed onto Yahoo Mail using Joe’s e-mail address and entered the password (12345678) he’d stolen from the Daily Planet password list — and sure enough, he got into Joe’s Yahoo account. From there, just a couple of clicks gave the bad guy full access to Joe’s online financial account.
There are countless other ways Joe could’ve been compromised, but Joe made the bad guy’s job much easier by using the same password for both the Daily Planet and the Yahoo Mail accounts. Joe will most likely get his money back — eventually. But he could have avoided a lot of hassle by simply using a unique, throwaway password for the Daily Planet.
Of course, Joe isn’t the only one at fault. The admins at the Daily Planet should know enough to encrypt their stored user data. They also should’ve plugged up their SQL interface. But that doesn’t let Joe off the hook.
If you’re still not using a password storage/retrieval tool such as LastPass or AI RoboForm (discussed in a June 3, 2010, Best Software column), it’s time to get with the program. Don’t blame a poor memory for recycling old passwords; learn to use one of those tools. The money you save will most likely be your own.
| Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum.|