Networking Notes: Playing the Password Game

By Michael Hall | Posted September 24, 2007

Don't think paying attention to how you construct your passwords is that important? Check out this tale of public humiliation at a company called MediaDefender

Here's the story:

MediaDefender is a company that specializes in file sharing. It doesn't actually share files: It makes life hard for people who do. Sometimes that involves planting files on p2p networks that aren't what they claim to be (aka "cuckoo eggs") with the hope that the files will proliferate faster than the actual songs. Other times that involves keeping tabs on file-sharing networks and alerting clients to new material.

What's That Term?
Not sure what a particular networking term means? Check out the searchable PracticallyNetworked Glossary.

For more help, don't forget to try one of our PracticallyNetworked Forums.

Much of the company's inner workings were exposed last week when more than 700MB of internal messages stored in a Gmail account held by one of the company's employees were leaked. The messages were distributed over file-sharing networks, and sites like Ars Technica are slowly sifting through the stockpile. All sorts of details have already been exposed through the compromise, including spreadsheets with salaries and other employee information such as social security numbers and home addresses. It's a PR nightmare for the company, and it's a privacy nightmare for its employees.

How were the messages compromised? There are plenty of ways to do that. Ars Technica suggests a fairly obvious:

One popular theory holds that the MediaDefender employee probably used his Gmail login to sign up with one of the file-sharing services he was monitoring, and used the same password as on his Gmail account. Then, so goes the theory, someone with administrative access to the account traced his IP address to MediaDefender, and then either decided to log in and take a look at the the employee's e-mail or provided the login information to a hacker.

That laughter you hear is the marketing departments in security companies that specialize in blocking workplace access to Web services like Gmail, who will be pleased to add this to their list of scare anecdotes. Maybe they should, but the nature of the compromise, if that was truly the angle of attack, suggests that any company without a password complexity policy that makes reusing passwords too painful to contemplate could be similarly compromised. But we all know that, and that's why every Web service, e-mail account and workplace sign-on we use has a unique password, right? Right?

Most people are aware of how poor their password regimen is: Lots of people have only one password, plenty have two (one for important things like e-mail and one for less important things like newspaper site sign-ons), a few probably have three or more, especially if they have access to servers.

Because IT departments frequently say that writing down a password is bad, we're taught early on that we need to do the impossible to use the many services they might encounter over the course of the day: Create and memorize a unique password for each and every one.

For starters, those preaching the "no-writedowns" gospel are probably wrong to do so. Security expert Bruce Schneier approvingly cited a Microsoft Senior Security Strategist who said as much:

"We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."

But there's another way to handle multiple passwords that lets you remember just one master password while generating unique passwords for every site or service you use.

You can check it out in its simplest form at the homepage of Nic Wolff, a New York City programmer who admitted his own weakness for weak passwords and set out to remedy it with some Javascript and ingenuity. "I feel stupid," he wrote, "knowing that one SQL Server exploit or disgruntled admin could cost me my whole identity."

So here's how it works:

  • Think up a root password. It can be a tough one because it'll be the only one you need, but you definitely need to remember it.
  • Visit the password generator page
  • Fill out the form using your master password and the name of the site you're registering for.
  • Get a password unique to that site thanks to a cryptographic hash generated from the password and site name.

So, suppose my root password is something hard to guess. We could use, for instance, the old "first letter of each word in a book title" trick. I so happen to have Leonard Nimoy's classic "I Am NOT Spock" sitting here. It's only four letters on its own, so we'll add the "L" and "N" from "Leonard" and "Nimoy" to the beginning and throw in an exclamation mark at the end to give it a little extra trickiness: lnians!

Perfect. It's not an actual word, which is good. And I know that book will never leave my sight, so I'll always have a discrete reminder.

So we take our new root password to the password generator form and try it out for a couple of sites:

When we feed it our root password and use "practicallynetworked" as the site, we get "^16searchable17^1a" as our new password. When we feed it our root password and use "gmail" as the site, we get "q2fS0i0r1a."

Those are both tough, secure passwords (and the script slipped in a "1a" at the end of each to meet the requirements for at least one number some sites have). In addition, nothing about one gives away anything about the other. So if you're an executive for a bustling anti-p2p company who runs afoul of some malicious hackers and a torrent site admin with an axe to grind, your Gmail password remains safe.

If you're sold on the approach, you might have already thought up the one big drawback: Those passwords are really hard to remember, which means you either return to that site every time you need to remember your password, or you write them all down (which is OK if you do it responsibly, but we're trying to avoid that).

I don't like the thought of going back to that site over and over and over, either, so it's a relief that people have taken the idea and run with it.

The author provides a bookmarklet, for instance, that allows you to generate and retrieve passwords without leaving the site you're visiting.

And there's the Password Composer page, which provides not only a Web form and bookmarklet, but a shell script in case you're using a Linux or Unix terminal, and a Greasemonkey script for Firefox users.

Or just try writing all your very complex passwords down on a piece of paper you keep in your wallet. That guy from MediaDefender is probably wishing he had.


Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date