Phuket Live Wire – reusing passwords is an expensive bad habit
PHUKET: Here’s a question I see with alarming frequency:
Woody, somebody just broke into my Hotmail account. The creep sent messages out to everybody in my Hotmail address book, saying I was in the hospital and needed money sent to me (by Western Union) immediately. What can I do about it?
You’ve been hacked, and there’s precious little that can be done. Let me get to that part in a second. First, I want to talk about how you got hacked in the first place – and dole out some advice to people in Phuket that can keep creeps from getting into their Hotmail (or Facebook, Twitter, PayPal or bank) accounts.
There are hundreds of ways bad guys can get your password. You already know about many of them – writing down your password on a sticky note and putting it on your laptop, for example. Telling your password to your spouse or best friend, who loaned it to someone who really needed it, like, right now.
Using a patently obvious password doesn’t help – if your name is Yingluck Shinawatra or Barack Obama, and your password is yingluck or President, well, you gotta expect somebody’s going to figure it out. (Both Yingluck and Barack have had their Twitter accounts hacked, probably because they used simple passwords.)
Using one of a bunch of very common passwords is similarly very dumb. As explained in an InfoWorld article , the 25 most common passwords stick out like a sore thumb: password, 123456, 12345678, qwerty, abc123, monkey, 1234567, letmein, trustno1, dragon, baseball, 111111, iloveyou, master, sunshine, ashley, bailey, passw0rd, shadow, 123123, 654321, superman, qazwsx, michael, football. Use any of those and any pimply teenager in Kazbukistan with ten minutes to kill can break into your account.
There’s a worse form of password abuse, though, and it can cost you a lot of money. You need to be very, very careful to keep from re-using your email password. Consider this worst-case scenario, which we saw unfold here in Thailand a couple of months ago.
Let’s say my Gmail address is woodyleonhard@gmail.com (it is) and my Gmail password is gotcha (it isn’t). Like you, I log on to dozens of web sites every day. I signed up for an account at a newspaper site (not this one), so I can post comments in their forums and get email updates on the news.
Let’s call this newspaper site ThaiDailyPlanet.com. The site asks me to provide my email address, and a password. I give them my email address, woody-leonhard@gmail.com. I’m lazy (I am), so instead of using a different password, I just re-use my Gmail password, gotcha.
ThaiDailyPlanet.com’s webmasters may be good at many things – their jobs depend on keeping the news posted and updated, and looking good – but they aren’t security experts. The system that stores people’s email addresses and passwords is protected very well, using the latest SQLServer technology, but the admins don’t bother to encrypt user IDs and passwords before storing them. That means my user ID and password are sitting on a disk somewhere on ThaiDailyPlanet’s server, and they’re just plain text.
Fast forward a few months, or years and some creep in Los Angeles downloads this new hacking program that’s supposed to be able to break into SQLServer databases. He doesn’t have a clue how it was built, and can just barely figure out how to use the hacking program, but he goes surfing the internet, looking for SQLServer databases that don’t have a specific, recent security patch installed.
Sure enough, he bumps into ThaiDailyPlanet.com, and discovers that their SQLServer database doesn’t have this security patch yet. He turns the hacking program on ThaiDailyPlanet’s servers, and in the course of an hour or two, downloads five thousand email addresses and passwords, including woody-leonhard@gmail.com and gotcha.
This particular creep has the self-esteem of a gutted catfish, so he goes bragging to other people on creepy forums that he’s broken into this big, bad database, and made off with 5,000 email addresses and passwords. To strut his stuff, he posts the addresses and passwords on an open data web site, inviting his creepy friends to go look.
Within hours, hundreds of people have downloaded the stolen email addresses and passwords. Some of them have IQs above dishwater level, so they go poking and prodding. Sure enough, dozens of them find out that they can log on to Gmail with woodyleonhard@gmail.com and gotcha.
That’s only part of the story. If I used the same username and password on my PayPal account, it’ll be gone in a New York minute. With a hundred monkeys pounding on keyboards, my Bank of America, Scottrade and Kasikorn Bank accounts could get drained the same way – if I used the same user name and password that’s on my Gmail account. And of course I’d be ordering champagne and caviar on eBay, for delivery to Los Angeles. It could all happen in a few minutes, and I’d never be any the wiser.
More than that, some banking sites let you request a “forgotten” password by providing the correct email address. One of those monkeys no doubt would try the “Forgot my password” on a hundred well-known financial sites, and possibly come up with something. With access to my mail account, they’d have all the details they need.
Bottom line: don’t re-use your email account’s password! And be very careful about recycling passwords in general.
Back to the original question: there’s basically nothing you can do about a hacked email account. If you can still get in, you should change your password immediately, of course, but the cow’s already out of the barn. It happens so often that the major mail providers (Hotmail, Gmail and Yahoo Mail) have web sites set up with advice about how to cope with the problem, but the bottom line is that there’s basically nothing you can do.
Live Wire is Phuket Gazette columnist Woody Leonhard’s weekly snapshot of all things internet in Phuket.
Follow him on Twitter: @PhuketLiveWire; “like” pages at facebook.com/SandwichShoppe; and facebook.com/phuketgazette.net.
— Woody Leonhard
Phuket NewsLeave a Reply
You must be logged in to post a comment.