The founder of Facebook has been accused of using information from Facebook to break into email accounts at Harvard Crimson (Harvard’s newspaper). While I don’t know if it is true or not, the technique is plausible and is an excellent demonstration of why you shouldn’t use the same password for every website and how important it is to create secure passwords.
The story says that the Facebook founder was concerned about a story the Crimson planned on running. He located people on Facebook who said they worked at the Crimson. Since it sounds like Facebook stores passwords in a secure manner, he couldn’t simply look them up from the database. Instead, he went through the server’s logs to try to find login attempts where Crimson employees had typed their passwords in incorrectly. When someone’s login fails, Facebook (and many other sites) writes this information to the log file. This information includes the password they tried to use.
If you saw the following in a log file, do you think you could guess user JaneD’s password?
failed login! user: janed password: applwsauce
failed login! user: janed password: aspplesauce
failed login! user: janed password: aplesauce
It isn’t exactly rocket science to get a pretty good idea of what Jane’s password is. According to the story, once Facebook’s founder had this information, he was able to log in to the Crimson‘s email server because users had used the same password for their Facebook account as they used for their work email account.
This is why you should be very cautious about using the same login info for more than one website. Keep in mind that Facebook was storing their passwords in a secure manner–some sites don’t even do that. A while back, a dating site was hacked and the hackers discovered that all of the login information was stored in an unsecure manner. They didn’t even have to dig through failed login attempts. They then used this information to log in to other accounts the victims had at Facebook, instant messaging, Gmail, etc. They posted all kinds of stuff and even Photoshopped pictures designed to cause trouble. They posted on one victim’s Facebook page that she was getting ready to commit suicide. Another person found her Facebook status updated to indicate she was having an affair, etc.
All in all, this security breach was pretty easy to spot–people noticed their online status being updated with all kinds of things they would never say. While inconvenient and possibly embarrassing, it was mostly adolescent troublemaking. The real danger is someone who gets your password and you don’t ever know about it–at least not until a bunch of money disappears.
The ideal situation is to create a password of random characters for each login, but that only works if you have some type of automated system to keep track of them and log you in (see 1Password). We’ve previously talked about ways to create a unique password for each website in a memorable way that helps retain a bit more security. Regardless of what type of strategy you use, there is one thing you need to ask yourself every time you create a new account and come to the password field: Would I use this password if I knew that the developer of this site was a slightly untrustworthy 17 year old? Most of the time, that will keep you from re-using your banking password or something of similar importance.