A Few Words on Passwords

Linking all of your accounts and using the same passwords over and over is like leaving your key in the lock!

Last week, a colleague of mine reported a security breach.  It didn’t involve hackers*, crackers, or stolen passwords: a thief nabbed his wife’s purse.  As you can imagine, this caused a ripple effect based on the contents of the purse.   Keys give access to cars and doors.  Bank cards give access to lines of credit and partial access to bank accounts.  Driver’s licenses list personal info right on the card.  The family had to launch immediately into a process of re-keying and card-canceling.

Linking Accounts Together Can Be Unwise

Similarly, in the digital realm, a Wired writer lost his entire digital life when a whole series of linkages between accounts was exploited by miscreants.  Attackers compromised his Apple account — not by technical wizardry, but by conning tech support at Apple into thinking they were the legitimate account holders, a process known in the security industry as “social engineering.”  The Apple account included access to his Apple email, which happened to be authorized as his password-reset account for his Gmail account; likewise the Gmail account was the password-reset account for his Twitter account.  The Twitter account was the ultimate target.  Most devastating of all, though, the bad guys erased the victim’s MacBook in an effort to cover their tracks, using a service Apple provides to prevent thieves from accessing sensitive data.  The laptop had no backup.

Am I trying to scare you? Maybe a little.  But moreover I’m just trying to encourage you to think about how things in your digital life link together.  Does every account you own link to a single Gmail account?  That’s fairly common.  It’s also fairly common for people to use the same password over and over again — and if not, it’s not terribly hard to parlay access to a single account into a daisy chain of unauthorized access.

Why We at IT Don’t Ever Want to See Your Password

This — this! — is why W&M IT has a strict policy against ever seeing a user’s password.  Not in person, and certainly not in email.  Not just because of bureaucracy, not just because your password for your bank might be the same as your W&M password.  But because your W&M email might be your backup for your Google account, which might be the backup for password resets coming from Twitter, Pinterest, Facebook, etc.  Access to those grants a trove of personal information that could be used to help gain access your bank, your stockbroker, or even your tax records.  I hope the chances that something like what happened to the Wired writer above happening to a W&M community member are very low — but if such a thing ever did happen, it could be a nightmare for our organization if the investigation revealed, “I gave my W&M password to J. Q. Staffer when he came to work on my computer.”  Poor ole J.Q. probably liked his job, too!

While I’m on the subject: it’s worth pointing out that your humble author has been a victim, too.  I’ve managed to avoid real trouble, but I had fallen into the trap of using the same two or three passwords over and over again for the multitude of sites requiring one.  And I discovered, on my own, the downside of that: it only takes one of them having their user roster and password lists stolen to get effectively compromised at every site where I use that same old username/password combo.  I took the plunge, and finally do what security mavens have said all along: unique passwords for every website.  “How do you remember them all?” you ask.  I don’t!  I use a piece of software called KeePassX to remember them all for me.  (I might switch programs, though–there are several, and I’ve had trouble getting this one to run on my Macbook and on my phone.)

As we move more and more of our data, our lives, and our livelihoods into the “cloud,” we find more new things to worry about and keep track of.  A little circumspection about such matters is a wonderful thing!  Be careful out there, and keep an eye on your purse.

 

* Properly, a “hacker” is just someone who wants to figure out how something works, and does so by messing around with the thing itself.  Someone who breaks in to computer systems, whether for fun or profit, is a “cracker.”  The first crackers were hackers who were in it for curiosity’s sake.  Sadly, “hacker” has lost a lot of its benign sense in common parlance.

About John Drummond

John Drummond is the Academic Technology Manager at the College of William & Mary. Originally from Mathews County, VA, John graduated from James Madison University with a BA in English in 1996 and an MS in Technical and Scientific Communication in 2002, and is currently studying for an Ed.D. in Higher Education at the W&M School of Education. He has been with W&M since 2007. In addition to working in IT, John has taught occasionally at W&M and previously at Tidewater Community College, and in other roles has been an author, a musician, a Perl programmer, a UNIX systems engineer, and a network manager. He resides in Toano with his wife Andrea and daughter Rebekah.

Comments

  1. I’m a HUGE fan of 1Password. I store all my software licenses, banking information and random account info for family members (in case they forget) in there as well as passwords. Syncing with Dropbox means that I have all my information on my iPhone as well as on all my computers (I have 3). Just a note, 1Password has Windows and Mac versions available. I think there’s a Linux version too… I could check right now but I’m lazy.

    I actually don’t use the password extensions as I feel it clutters up my 1Password app when I’m in it. Sometimes the URL changes for the login page and every time that happens, 1P creates a new entry in the database. This can get messy. Instead, in conjunction with Alfred App (for Mac), I just do everything from the keyboard, and quickly.

    command+space (bring up Alfred), type 1p – press enter. 1Password opens up and immediately focuses on the Find field. I can’t stress how useful that last part is. On the Windows version, it was a glaring omission.
    Anyway, type in the tags or name of the site I’m on, copy the PW and off I go.

    It’s also handy when I can’t remember what email address or username I decided to use.

    Still, I can’t stress enough the ability to have all my information synced across all my devices and computers. It’s encrypted and PIN protected. KeyPassX was my goto until I decided to invest in 1P. It’s not free, but it’s definitely worth it.

  2. John Drummond says:

    Thanks, Evan! I was just this minute talking with Jeff about how the time involved in copy/pasting all my passwords has been a barrier to switching password managers.

  3. Hi John,

    If you are still looking for a OSX-friendly password manager, I have been really happy with 1Password: https://agilebits.com/onepassword

    My favorite parts of 1Password are its browser extensions. You click on the extension icon, enter your master password, and it brings up login info for the site you are viewing. They also have a helpful blog–their suggestion of using a random password instead of actual information for security question blew my mind: http://blog.agilebits.com/2012/08/11/blizzard-and-insecurity-questions-my-fathers-middle-name-is-vr2ut1vnj/