Article

Re-using passwords

...or how I lost my Spotify account and acquired a taste for Spanish music!

I like to think, as an IT professional, I have kept good practices regarding account security, but this year I suffered a compromise on one of my own accounts. My downfall in this case was that I re-used a password across just 2 sites years apart. Let me explain…

Password Storage

When you trust a website with your password it gets saved in their giant database of passwords. Using Facebook as an example, they have nearly two billion users now. That’s two billion users’ passwords that need to be stored securely.

To store a password safely and ensure nobody can read it, it needs to go through a hashing algorithm. This hashing algorithm essentially turns your password into a bunch of meaningless characters that appear to bear very little relation to your password! This algorithm is designed to only work one way, meaning once the data is hashed it cannot be reverted to your original password. This stops anyone with access to this database being able to view your password. Each time you log in the algorithm runs against your password and if the output matches what is in the database, voila! You’re allowed to login, it’s as simple as that. Using a one-way algorithm means your password is always stored securely.

Unfortunately, not all websites follow this best practice. Some even store your password in plain text, meaning anyone could see it if they had access to the database! You may often be able to tell if this is happening. If you receive an email with the password you just created in it, or if you use the ‘forgot your password’ feature and they just email it back to you, they aren’t following good practice!

My Experience

Fast forward to 2017, I’m sat listening to Spotify in my front room and it keeps cutting out. I’m hitting play again but it keeps happening. I pick up my phone and launch the Spotify app, only to notice that I’m playing a different song through a Sony phone. Hang on, I don’t even own a Sony phone! It’s also a song I don’t recognise and yet is part of a playlist I own? I browse through my playlists and see that I seem to have a huge number of new playlists, and interestingly and slightly disappointingly, all of Spanish origin!

At that moment, I knew my account was compromised. I logged in online and changed my password, kicked off the sessions that weren’t my own and secured my account once again by changing the password. Fortunately, my email and password hadn’t been changed at this point as they didn’t have access to my email, this person was just revelling in the use of my premium Spotify subscription!

So how could this happen?

I quickly ran a search to see if any websites had been breached recently that I may have re-used passwords on. Bingo.

Back in May 2016 LinkedIn had had a breach of 164 million email addresses and passwords. The data was compromised back in 2012, however this was found for sale on the dark market 4 years later. Now, it’s available to download freely from multiple websites.

LinkedIn had not followed any good practice when storing passwords, they weren’t properly hashed meaning they could easily be reverse engineered. Within hours somebody had reversed all 164 million emails and passwords, to do with what they wish.

LinkedIn responded by making users change their passwords, however for people who had re-used this password elsewhere it was compromised and in the open for anyone to view.

Whilst I use a password manager that ensures I don’t use duplicate passwords, this data was compromised back in 2012. I had re-used the password assuming it was safe to use again in 2017. This was not the case!

Protecting your passwords

Given the popularity of LinkedIn with business professionals, a data breach like this can have huge repercussions. Imagine 1% of your staff use the same password on their LinkedIn profile as they do on the internal IT systems. How many would quite easily have their account compromised?

An attacker can export the list of email addresses and passwords from these breaches and script this to repeatedly attempt to login. External facing services are prime targets to this sort of attack allowing a hacker to gain access to your internal infrastructure.

Lessons Learned

There are several ways to easily avoid this type of attack.

  1. Enforce a strong password policy. This means enforcing the use of different case, symbols and numbers combined with actively forcing users to change their password if there is any suspicion this could be compromised. After each password change, previous data breaches that include it are now significantly less effective.

  2. Use separate passwords for all services. With the use of a password manager this is now feasible. Using a separate password for every account means even if one is compromised, no other passwords will be affected and allows you to generate completely random passwords that nobody could start to guess.

  3. Get alerts on breaches & become proactive. Major data breaches are often known about very quickly, because of this they are now being publicised!

The National Cyber Security Centre provides guidance on securing and simplifying your password approach.

Curious if your account, or even Domain has been subject to a breach? Why not use https://haveibeenpwned.com/ . This is a non-invasive check and does not give away passwords, but does show you if your email or domain users may have compromised passwords.

If so make them aware and change it! Education is key.

Are my Fridge and Toaster talking about me behind my back?

08 September 2017 , Durham Office