NCSAM/2011–Post 4–Don’t share your passwords across services
Using the same password on multiple different accounts or services – it’s something that security professionals have decried for years, and it’s something that most policies forbid as well.
Why is this?
Surely it’s easier to remember one password and use it everywhere?
Well, yes, but then your password isn’t just about what’s easy – it’s a protective measure by which you not only assert your identity, but also by which you prevent other people from asserting it for you.
For instance, the old “rogue administrator” problem – so old that it’s often referred to as the “rouge admin”, because so many people can’t spell “rogue”. It’s so old, XKCD has a cartoon about it.
The rouge administrator problem
The theory behind this problem is that you can’t be completely sure that your own administrators are trustworthy – and so you are even less sure that some other website’s administrators are trustworthy. So, it’s a fair bet that some of the sites that you log onto are actually engaged in some nefarious activity, either as a part of the business of the website, or as a personal interest on the part of one of its administrators.
What can they do?
Well, they can intercept your logon information – the user name and password that you have provided – and turn around to use that same information at another site.
What other site?
They can make a pretty good guess. Half the known world appears to access Facebook, Twitter, YouTube, along with any number of blogs, forums, or other locations. So they’ll try your username and password at some of these sites, and maybe get lucky. I’m sure many of us know a ‘friend’ whose account at some site has been ‘taken over’ by a hacker, and this is one of the ways in which that could have happened. [Another is the simple possibility of guessing your password if you didn’t choose a good one]
But there’s an even better site for them to guess at, because if you’re like oh-so-many people, you took the invitation to enter your email address as your username. And then, because it’s an association that’s embedded firmly in your brain, you used the same password creating this account as you use when accessing your email.
So now the only question is which of the several websites you’re logging onto has control of your account this week, as they each fight one another for dominance.
But it doesn’t require a rogue administrator. Sometimes it can just be a matter of really bad website design – combined with your own bad password choice.
Your password got hacked
Yeah, I’m generalising here, but your password probably has been hacked at some point, or at least its hash has been stolen.
Sidebar: a password hash is an obscured version of your password. Kind of like creating mince from meat – you can tell what animal it came from, whether that be chicken, beef or pork, but you can’t actually put it back together to create the animal. So, a hash allows you to confirm that the password being presented by the user is the same as the original password used to create the account, but it does not allow you to turn the hash back into the password easily.
Note that catch-all “easily” – that means there’s a difficult way, right? Sure, and it’s simply the idea that you can try every possible password until you get one that matches the hash. This is called “brute forcing”. There are some shortcuts, and someone will no doubt mention “rainbow tables”, but in many cases, this is little more than having someone actually do much of the brute forcing for you already. This can be made even harder by adding a random number called a “salt” into each password, but then I’m getting into too much of the implementation detail to be interesting.
So, the point is that if you have a good password, the hash of it is pretty darn hard to get the password from. You are mostly protected by your good choice of password.
Of course, that means you’re really not protected if you have a common or short password.
That’s why every time we see a news story of hackers stealing a password database – or often, the database of password hashes – there’s usually a list that comes along of the common passwords that people used at that site.
One relatively recent example is that of the password theft from Gawker. Note that this was a simple database of unhashed passwords. That’s bad website design. But then when you go and look at the list of passwords, you discover that the most common was “123456”, and the second most common was “password”. That’s simply bad password choice.
Protect yourself – choose different passwords
Again, passphrases come to your help here – “password for Cousin Huey’s favourite site” might be a good passphrase, perhaps. Or “I like this site for its crazy cartoon wit”. And writing them down will help you not to forget which password goes with which site.
OK, so that won’t help you if the password database is in plain text – but if that’s the case, you will at least find that only the exposed site’s account is taken over, rather than every other account you own.