Password problems
Some of the recent stunts by online mayhem seekers LulzSec have highlighted (again) something we all know: it’s bad to use a password for more than one website.
Recently, LulzSec hacked porn site pron.com, obtaining customer logins and admin credentials for a number of other porn sites - all with passwords apparently stored in plain text. Leaving aside the embarrassment that will be caused by some of the account email addresses having .gov and .mil at the end, there’s a high likelihood that at least some of these credentials will be valid on other sites. LulzSec encouraged its followers to try logging into Facebook with them and, if successful, bring down shame on the luckless users. A tad unsporting that. Facebook responded by resetting passwords for any and all affected accounts.
At least the people most at risk from this stunt are likely to know about it. LulzSec’s only motivation appears to be glory-seeking. The group has certainly not espoused any coherent political, ethical or commercial agenda. Normally, when jackers purloin login credentials this way, they don’t tell the world. They’re after your money.
So getting your passwords in order is a smart idea.
I use LastPass to manage my online passwords. It’s not without its own risks. The service had a scare recently when its security was mildly compromised. And there’s an inherent paradox in the concept. LastPass enables you to create long, complex passwords using all four character types -uppercase, lowercase, numbers and non-alphanumeric (punctuation and ‘special’ characters). It will randomly generate these for you. (Okay, pedants - pseudo-randomly generate.) These are the kinds of password that are impossible to remember. Fortunately, LastPass remembers them for you and will enter them (automatically, if you want) into login forms.
That’s a good thing. The problem is that there’s one password it won’t remember for you - the master password you need to gain access to LastPass itself. In other words, the one password that you’re going to be motivated to write down, or make weak enough to remember, is the one that gives access to all your other passwords.
Oh well.
LastPass does have another very useful feature. It will run a security check on all your stored passwords. It looks for instances where you’ve used the same password on multiple sites and also judges the strength of each. It’s a sobering experience. I’ve just about finished the drudgery of changing my passwords on dozens of sites, ensuring each one is unique.
There is another benefit to carrying this check: it reminds you of sites you no longer use. And I think this is a security vulnerability that not enough people consider.
It may be just me, but I seem to have gone through a period where I would register at sites using one of a small pool of common passwords, all rather short and easy to crack, thinking ‘oh, I can’t think of anything stronger right now, I’ll fix that later’. And, of course, I never did.
Looking through my LastPass vault, I can see a surprisingly large number of sites where I’m registered but which I haven’t visited in a long while. The danger they pose is this: most of these sites are small or middle-ranking, the type that may not be the most secure. They’re the most likely kind of website to give up their password databases to hackers. Having now changed my passwords, any hackers would (hopefully) only have access to a password I don’t use anywhere else. But there’s always a risk that I’ve overlooked something. And, in any case, the hackers won’t know that, and will be encouraged, purely by my presence in the purloined database, to go pound on my other accounts.
It’s seems obvious to me that being registered at sites you don’t use is a small but real security risk.
So, as part of my current password hygeine practices, I’m revisiting these sites and closing down my accounts. I can only hope that they’ll actually delete my records (as they should), rather than simply marking them ‘inactive’.
