The founder of Facebook has been accused of using information from Facebook to break into email accounts at Harvard Crimson (Harvard’s newspaper). While I don’t know if it is true or not, the technique is plausible and is an excellent demonstration of why you shouldn’t use the same password for every website and how important it is to create secure passwords.
The story says that the Facebook founder was concerned about a story the Crimson planned on running. He located people on Facebook who said they worked at the Crimson. Since it sounds like Facebook stores passwords in a secure manner, he couldn’t simply look them up from the database. Instead, he went through the server’s logs to try to find login attempts where Crimson employees had typed their passwords in incorrectly. When someone’s login fails, Facebook (and many other sites) writes this information to the log file. This information includes the password they tried to use.
If you saw the following in a log file, do you think you could guess user JaneD’s password?
failed login! user: janed password: applwsauce
failed login! user: janed password: aspplesauce
failed login! user: janed password: aplesauce
It isn’t exactly rocket science to get a pretty good idea of what Jane’s password is. According to the story, once Facebook’s founder had this information, he was able to log in to the Crimson‘s email server because users had used the same password for their Facebook account as they used for their work email account.
This is why you should be very cautious about using the same login info for more than one website. Keep in mind that Facebook was storing their passwords in a secure manner–some sites don’t even do that. A while back, a dating site was hacked and the hackers discovered that all of the login information was stored in an unsecure manner. They didn’t even have to dig through failed login attempts. They then used this information to log in to other accounts the victims had at Facebook, instant messaging, Gmail, etc. They posted all kinds of stuff and even Photoshopped pictures designed to cause trouble. They posted on one victim’s Facebook page that she was getting ready to commit suicide. Another person found her Facebook status updated to indicate she was having an affair, etc.
All in all, this security breach was pretty easy to spot–people noticed their online status being updated with all kinds of things they would never say. While inconvenient and possibly embarrassing, it was mostly adolescent troublemaking. The real danger is someone who gets your password and you don’t ever know about it–at least not until a bunch of money disappears.
The ideal situation is to create a password of random characters for each login, but that only works if you have some type of automated system to keep track of them and log you in (see 1Password). We’ve previously talked about ways to create a unique password for each website in a memorable way that helps retain a bit more security. Regardless of what type of strategy you use, there is one thing you need to ask yourself every time you create a new account and come to the password field: Would I use this password if I knew that the developer of this site was a slightly untrustworthy 17 year old? Most of the time, that will keep you from re-using your banking password or something of similar importance.
Jamie Ross (Mining Man) says
Great post, very interesting story whether true or not, and very good advice. I guess the trick is to find the balance or method for being able to remember all your passwords, but also make sure if one gets “lost” they are not all corrupted. Your article on creating unique passwords is a really great source of ideas.
No need to overthink this.
Establish a password code something like the following:
Where A is a random letter – goog is the name of the website – 123 is a random 3 digit combo.
So if the above is my password key then my password for yahoo would be:
and for citibank:
As long as you remember you own little code you can create a unique password for every site that is easily remembered.
Dale King says
The system I use involves a memory system for easily remembering numbers. That system assigns consonant sounds to each number and the idea is that you turn numbers into words. (Google pseudonumerology for more info).
But what I do is the reverse. I use the system to turn words in a phrase which includes the name of the site into numbers that then is the password. Make sure to leave part of the phrase as letters which includes upper and lowercase to handle sites that require upper and lower case letters.
So let’s say you come up with a phrase like “_______ eats garbanzo beans”, where the site name goes in the blank. We’ll leave eats as letters and capitalize the A.
You password on google then would be: 775eAts74920920.