Saturday 11 August 2012

I changed my password

I have a zillion passwords. I suppose I ought to try to be a bit more precise than that - I have more than 200, and possibly (but not definitely) less than a thousand. This is because I look after a lot of servers, and I have accounts on lots of web sites.

How do I handle this?

Like a lot of people, I use the same username/password in a lot of different places. And, unlike a lot of people, I keep track of my passwords by writing them down. Yes, I know almost everyone tells you not to do that, but I've been telling people to do exactly that for about 25 years.

So when I read this I was taken aback. It's a long and sad story, but the summary is:

He lost everything on his iphone, his ipad and his imac.
Someone else had control of his email and his twitter account. And started making some really horrible tweets in his name.

How did it happen? The link gives the details, but roughly, it went like this; let's pretend we're hacking Mr Happy.

1. Get Mr Happy's billing address. It's not that difficult to get someone's address, people don't try to keep it secret.

2. Get Mr Happy's credit card number. Now this is something that people know that they shouldn't give out, but ...

 2.1 Call Amazon, tell then you want to add a credit card number to Mr Happy's account. You'll need to tell them the name on the account, an associated e-mail address, and the billing address.You could use a real card number, or you can make up a number that passes the checksum test; you won't be trying to spend money on this card.

2. Wait a minute, and call Amazon again. Tell them you forgot your password, give them Mr Happy's name, address and the new crewdit card number you just added. Now you have access to Mr Happy's Amazon account. And that lets you see the last four digits of Mr Happy's real credit card.

3. Now call AppleCare.  Give Mr Happy's name, address and those last four digits. AppleCare are now convinced that you're Mr Happy, and they'll give you a login password to Mr Happy's account.

If Mr Happy is using Find My Mac then you can do a remote wipe of Mr Happy's computer, iPhone and iPad. And because you have Mr Happy's email under your control, you can ask other services to send a password reminder to that address.

Apparently, Apple and Amazon have since then changed their policies on giving out passwords. But you can bet that there's plenty of other services that make it easy for people who have forgotten their password. So I wouldn't be surprised if a method like this still works, with different services.

Lessons to be learned.

1. Don't assume that people running services understand about security. I know that banks don't seem to, I've written about this before. So why would anyone else?

2. Don't assume that anyone else is going to bail you out when you get into trouble. And do assume that companies running services will happily give out your password on the slenderest of evidence that you are who you say you are.

So, as I said in the title to this blog, I've just changed my password. I've only changed one of them, but it's one that would cause me a lot of grief if it got out. I use it for some very important logins, and I've probably let it "creep" over the years, using it in places that I probably shouldn't have. So, I've changed it now, and I feel a bit happier.

Unlike Mr Happy.


  1. Hey, Doc,
    What did you change it to?

    1. I changed it to "cupevilin"

      I heard of an experiment whereby people were stopped in the street and offered a bar of chocolate in exchange for their office password, and some number accepted the offer. The people doing the survey were surprised.

      I wasn't.

      I'd have accepted like a shot. There's no limit to the gullibility of some people.

  2. A few thoughts on this.

    1 we are human and this means
    a) we can't remember much
    b) we are lazy and dont want to remember

    2 We tend to use the same passwords due to 1a & 1b above, and also the fact we dont want to write them down.

    3.With a simple mathmatical solution it is possible to write your passwords down in a code form.

    4.You do need to change passwords often

    5.You also need to use fictitous names and details, very much like you mentioned on an earlier posting.