A Lesson in Password Security

By Miss Cellania
Contributing Writer, [GAS]

Wired’s Threat Level blog has an interview with GMZ, the hacker who briefly helped himself to some high-profile accounts at Twitter a few days ago. The way he got in was ridiculously simple.

1. He identified a very active account. It later turned out to belong to a Twitter employee who had access to all account passwords.

2. He used an automated dictionary program that tries common English words as passwords. He ran the program all night, with no interference.

Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.

3. The Twitter employee used a common English word (happiness) as a password.

4. Once into her account, he could access the passwords of any account on Twitter.

GMZ says he didn’t post on the hacked accounts, but gave away the information to forum members who did.

President-Elect Barack Obama was among the most popular requests from Digital Gangster denizens, with around 20 members asking for access to the election campaign account. After resetting the password for the account, he gave the credentials to five people.

He also filled requests for access to Britney Spears’ account, as well as the official feeds for Facebook, CBS News, Fox News and the accounts of CNN correspondent Rick Sanchez and Digg founder Kevin Rose.  Other targets included additional news outlets and other celebrities. Fox won the hacker popularity contest, beating out even Obama and Spears. According to Twitter, 33 high-profile accounts were compromised in all.

You can see some of the mayhem that occurred in screenshots posted all over the Net.

So what have we learned here?

If you run a forum, social networking site, blog, or website, you have to anticipate attacks. Twitter’s multiple login problem? Hmmm, check your settings or your hosting service. Mine will put me in time out if I misspell my password twice! There’s no excuse for anyone running logins all night with no alarms going off.

Don’t use a common word for a password. Use a password manager, change your passwords regularly, use different passwords for different levels of security needed, and don’t be afraid to forget them. Most are easily recovered with valid information. However, you should record the passwords for your email and your sites in a safe place offline for your closest relative in case of your death.

Administrators must be extra vigilant to see that partners and employees with access to other accounts have a strong password. What other tips can you add? What security walls would you recommend for admins?