A Lesson in Password Security

By Miss Cellania
Contributing Writer, [GAS]

twitbird1Wired’s Threat Level blog has an interview with GMZ, the hacker who briefly helped himself to some high-profile accounts at Twitter a few days ago. The way he got in was ridiculously simple.

1. He identified a very active account. It later turned out to belong to a Twitter employee who had access to all account passwords.

2. He used an automated dictionary program that tries common English words as passwords. He ran the program all night, with no interference.

Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.

3. The Twitter employee used a common English word (happiness) as a password.

4. Once into her account, he could access the passwords of any account on Twitter.

GMZ says he didn’t post on the hacked accounts, but gave away the information to forum members who did.

President-Elect Barack Obama was among the most popular requests from Digital Gangster denizens, with around 20 members asking for access to the election campaign account. After resetting the password for the account, he gave the credentials to five people.

He also filled requests for access to Britney Spears’ account, as well as the official feeds for Facebook, CBS News, Fox News and the accounts of CNN correspondent Rick Sanchez and Digg founder Kevin Rose.  Other targets included additional news outlets and other celebrities. Fox won the hacker popularity contest, beating out even Obama and Spears. According to Twitter, 33 high-profile accounts were compromised in all.

You can see some of the mayhem that occurred in screenshots posted all over the Net.

So what have we learned here?

If you run a forum, social networking site, blog, or website, you have to anticipate attacks. Twitter’s multiple login problem? Hmmm, check your settings or your hosting service. Mine will put me in time out if I misspell my password twice! There’s no excuse for anyone running logins all night with no alarms going off.

Don’t use a common word for a password. Use a password manager, change your passwords regularly, use different passwords for different levels of security needed, and don’t be afraid to forget them. Most are easily recovered with valid information. However, you should record the passwords for your email and your sites in a safe place offline for your closest relative in case of your death.

Administrators must be extra vigilant to see that partners and employees with access to other accounts have a strong password. What other tips can you add? What security walls would you recommend for admins?

Advertisement





8 Responses to A Lesson in Password Security

  1. I would enforce password complexity (through programming) for my staff, eg:
    Require multiple cases
    Require at least 2 numbers

    You might go as far to require a non-keyboard character, like a heart! ?
    Or even <3, that’s more secure than nothin!

    ~DtD

  2. Like in
    I <3 password generators that produce pronouncable passwords that aren’t dictionary words.

  3. I would enforce password complexity (through programming) for my staff, eg:

    Require multiple cases

    Require at least 2 numbers

    You might go as far to require a non-keyboard character, like a heart! ♥

    Or even <3, that's more secure than nothin!

    ~DtD

  4. Like in

    I <3 password generators that produce pronouncable passwords that aren't dictionary words.

  5. Many databases are protected by weak passwords. The Twitter example shows how important it is to create really strong passwords and unique passwords for each site. This seems too hard for many people so they opt for weaker security to prevent forgetting.
    I created ReKnow.ca to help with this problem. People can create codes that are very secure and memorable. Since they are memorable you never have to enter the same code in more than one location – even the ReKnow site never sees your code.

    People can use passwords properly, they just have to reknow them.

  6. Many databases are protected by weak passwords. The Twitter example shows how important it is to create really strong passwords and unique passwords for each site. This seems too hard for many people so they opt for weaker security to prevent forgetting.

    I created ReKnow.ca to help with this problem. People can create codes that are very secure and memorable. Since they are memorable you never have to enter the same code in more than one location – even the ReKnow site never sees your code.

    People can use passwords properly, they just have to reknow them.