Connect with us

Phuket

Phuket Live Wire – reusing passwords is an expensive bad habit

Published

 on 

PHUKET: Here’s a question I see with alarming frequency:

Woody, somebody just broke into my Hotmail account. The creep sent messages out to everybody in my Hotmail address book, saying I was in the hospital and needed money sent to me (by Western Union) immediately. What can I do about it?

You’ve been hacked, and there’s precious little that can be done. Let me get to that part in a second. First, I want to talk about how you got hacked in the first place – and dole out some advice to people in Phuket that can keep creeps from getting into their Hotmail (or Facebook, Twitter, PayPal or bank) accounts.

There are hundreds of ways bad guys can get your password. You already know about many of them – writing down your password on a sticky note and putting it on your laptop, for example. Telling your password to your spouse or best friend, who loaned it to someone who really needed it, like, right now.

Using a patently obvious password doesn’t help – if your name is Yingluck Shinawatra or Barack Obama, and your password is yingluck or President, well, you gotta expect somebody’s going to figure it out. (Both Yingluck and Barack have had their Twitter accounts hacked, probably because they used simple passwords.)

Using one of a bunch of very common passwords is similarly very dumb. As explained in an InfoWorld article , the 25 most common passwords stick out like a sore thumb: password, 123456, 12345678, qwerty, abc123, monkey, 1234567, letmein, trustno1, dragon, baseball, 111111, iloveyou, master, sunshine, ashley, bailey, passw0rd, shadow, 123123, 654321, superman, qazwsx, michael, football. Use any of those and any pimply teenager in Kazbukistan with ten minutes to kill can break into your account.

There’s a worse form of password abuse, though, and it can cost you a lot of money. You need to be very, very careful to keep from re-using your email password. Consider this worst-case scenario, which we saw unfold here in Thailand a couple of months ago.

Let’s say my Gmail address is woodyleonhard@gmail.com (it is) and my Gmail password is gotcha (it isn’t). Like you, I log on to dozens of web sites every day. I signed up for an account at a newspaper site (not this one), so I can post comments in their forums and get email updates on the news.

Let’s call this newspaper site ThaiDailyPlanet.com. The site asks me to provide my email address, and a password. I give them my email address, woody-leonhard@gmail.com. I’m lazy (I am), so instead of using a different password, I just re-use my Gmail password, gotcha.

ThaiDailyPlanet.com’s webmasters may be good at many things – their jobs depend on keeping the news posted and updated, and looking good – but they aren’t security experts. The system that stores people’s email addresses and passwords is protected very well, using the latest SQLServer technology, but the admins don’t bother to encrypt user IDs and passwords before storing them. That means my user ID and password are sitting on a disk somewhere on ThaiDailyPlanet’s server, and they’re just plain text.

Fast forward a few months, or years and some creep in Los Angeles downloads this new hacking program that’s supposed to be able to break into SQLServer databases. He doesn’t have a clue how it was built, and can just barely figure out how to use the hacking program, but he goes surfing the internet, looking for SQLServer databases that don’t have a specific, recent security patch installed.

Sure enough, he bumps into ThaiDailyPlanet.com, and discovers that their SQLServer database doesn’t have this security patch yet. He turns the hacking program on ThaiDailyPlanet’s servers, and in the course of an hour or two, downloads five thousand email addresses and passwords, including woody-leonhard@gmail.com and gotcha.

This particular creep has the self-esteem of a gutted catfish, so he goes bragging to other people on creepy forums that he’s broken into this big, bad database, and made off with 5,000 email addresses and passwords. To strut his stuff, he posts the addresses and passwords on an open data web site, inviting his creepy friends to go look.

Within hours, hundreds of people have downloaded the stolen email addresses and passwords. Some of them have IQs above dishwater level, so they go poking and prodding. Sure enough, dozens of them find out that they can log on to Gmail with woodyleonhard@gmail.com and gotcha.

That’s only part of the story. If I used the same username and password on my PayPal account, it’ll be gone in a New York minute. With a hundred monkeys pounding on keyboards, my Bank of America, Scottrade and Kasikorn Bank accounts could get drained the same way – if I used the same user name and password that’s on my Gmail account. And of course I’d be ordering champagne and caviar on eBay, for delivery to Los Angeles. It could all happen in a few minutes, and I’d never be any the wiser.

More than that, some banking sites let you request a “forgotten” password by providing the correct email address. One of those monkeys no doubt would try the “Forgot my password” on a hundred well-known financial sites, and possibly come up with something. With access to my mail account, they’d have all the details they need.

Bottom line: don’t re-use your email account’s password! And be very careful about recycling passwords in general.

Back to the original question: there’s basically nothing you can do about a hacked email account. If you can still get in, you should change your password immediately, of course, but the cow’s already out of the barn. It happens so often that the major mail providers (Hotmail, Gmail and Yahoo Mail) have web sites set up with advice about how to cope with the problem, but the bottom line is that there’s basically nothing you can do.

Live Wire is Phuket Gazette columnist Woody Leonhard’s weekly snapshot of all things internet in Phuket.

Follow him on Twitter: @PhuketLiveWire; “like” pages at facebook.com/SandwichShoppe; and facebook.com/phuketgazette.net.

— Woody Leonhard

 

Get more from The Thaiger

Join the conversation and have your say on Thailand news published on The Thaiger.

Thaiger Talk is our new Thaiger Community where you can join the discussion on everything happening in Thailand right now.

Please note that articles are not posted to the forum instantly and can take up to 20 min before being visible. Click for more information and the Thaiger Talk Guidelines.

Archiving articles from the Phuket Gazette circa 1998 - 2017. View the Phuket Gazette online archive and Digital Gazette PDF Prints.

Follow Thaiger by email:

What you get for $X10 hours ago

What $100,000 buys you for a condo in Bangkok, Phuket, Pattaya, Koh Samui and Hua Hin

Thailand12 hours ago

Thailand News Today | Activists plan protests all across Thailand

Thailand12 hours ago

Snitching on parking space hoggers could earn you 5,000 baht in Thailand

Sponsored20 hours ago

10 Best Seed Banks that Ship Cannabis Seeds Discreetly to You (Free US Shipping)

Weather12 hours ago

Storm Noru weakens from typhoon to depression as it moves across Thailand

World13 hours ago

Suicide bombing in Afghanistan hits students preparing for exam

Politics14 hours ago

BREAKING: Prayut reinstated as Prime Minister of Thailand

Join the conversation on the Thaiger Talk forums today!
Technology14 hours ago

What role for Thailand in China’s great European EV invasion?

Cambodia14 hours ago

Cambodian delegation in UK to seach for stolen treasures

Thailand15 hours ago

20 baht notes printed with errors, says Bank of Thailand

Crime15 hours ago

Loan shark bombs debtor’s house in southern Thailand

Thailand16 hours ago

Thai researchers develop flood-resistant rice strain

Press Room16 hours ago

Southeast Asia’s hospitality leaders step into the ring to fight for sustainability at PHIST 5

Crime16 hours ago

Horrified relatives attempt ID of disfigured suitcase victim

Travel16 hours ago

Things to do in Bangkok that cost next to nothing (2022)

Travel17 hours ago

5 best spa treatments in Bangkok to pamper yourself this September – October

Thailand1 year ago

Morning Top Stories Thailand | Police to end protests, Human Trafficking | September 14

Thailand2 years ago

Thailand News Today | Thai Airways in rehab, All go for Songkran | March 4

Tourism2 years ago

Phuket’s nightlife. Yes, bars and clubs are still open | VIDEO

Phuket2 years ago

Thailand News Today | Covid passport talks, Thai Airways heads to court | March 2

Tourism2 years ago

Phuket Thai food treats you need to try | VIDEO

Thailand2 years ago

Thailand News Today | Bars, pubs and restaurants ‘sort of’ back to normal | Feb 23

Tourism2 years ago

In search of Cat & Dog Cafés in Phuket Town | VIDEO

Thailand2 years ago

Thailand News Today | Gambling crackdown, Seafood market to reopen, Vlogger challenge | Jan 21

Thailand2 years ago

Thailand News Today | Covid testing for visas, Business impact, Vaccine approval | January 19

Thailand2 years ago

Thailand News Today | Weekend Bangkok bombs, Thailand fires, Covid update | January 18

Thailand2 years ago

Thailand News Today | Stray car on runway, Indonesian quake, 300 baht tourist fee | January 15

Thailand2 years ago

Thailand News Today | Governor off respirator, sex-trafficking arrest, condo prices falling | January 14

Thailand2 years ago

Thailand News Today | Chinese vaccine, Thailand ‘drug hub’, Covid update | January 13

Thailand2 years ago

Thailand News Today | Bangkok may ease restrictions, Phuket bar curfew, Vaccine roll out | January 12

Thailand2 years ago

Thailand News Today | Covid latest, Cockfights closed down, Bryde’s Whale beached | January 11

Trending