/Security/ The great password scandal
26/11/2009 | Filed under Discover > Security
You wouldn’t let your bank give your PIN to a stranger, but some sites are taking a similarly cavalier attitude to security, warns Paul Annett of Clearleft
Before reading this feature, please pause and take a few minutes to send me your email address and password. I’m doing some research to see how many of my readers are friends-of-friends. I’ll only log in to your account to look at the address book. Honest.
No? You’d be surprised how many people happily do this via websites each and every day.
Last September, a service called My Name is E launched, promising to solve the ‘social network portability’ problem – taking the hassle out of adding friends on social networks by aggregating your friend lists on to one site. You could add a friend on My Name is E, which would then update your contacts across the other sites. Nifty, eh?
People were quick to sign up, eagerly handing over multiple usernames and passwords so My Name is E could do its stuff. Judging by the number of recommendations it was receiving on Twitter, it was clearly an outstanding service. But there was something odd about these messages. Every recommendation was phrased the same: “I’m now using My Name is E to add friends to my Twitter account! More info on http://hellomynameise.com”.
It soon became apparent that My Name is E was logging in to Twitter as each of its users and sending these recommendations as them, but without their permission or knowledge. “The autotweet was a kind of viral marketing, implemented by one of our developers for teasing our followers on Twitter,” says Andreas Creten, My Name is E’s lead developer. “Unfortunately, we forgot to disable the feature before we launched.”
The backlash was immediate, with angry complaints on Twitter and customer support forums. “We disabled it as soon as users started complaining,” says Creten. “We were surprised at the response – it was a good lesson. Since we had people’s passwords we could take full control of their accounts, but people don’t like it when someone else uses their account to do something.”
Many of them not only felt angry at My Name is E, but also embarrassed that they were so publicly outed as being careless with their passwords. A typical message on Get Satisfaction came from Paul Downey, chief web services architect at BT: “Thanks for making me look and feel stupid – it’s me that gets to Twitter, not your password phishing bots!” Says Twitter’s API lead, Alex Payne: “We’ve always advised users to only give their passwords to websites they feel they can trust. Any website runs the risk of compromise, so giving out your credentials is always a gamble. There’s little risk in using a desktop Twitter client, but we’ve cautioned users against handing out their passwords to web-based services that are higher-value targets to attackers.”
You may be thinking that this is no big deal. After all, it’s only a Twitter password, not your bank details. But this thinking is flawed. “[Hypothetically] we could easily have logged into people’s mail accounts, intranets ...” says Creten, referring to the fact that many people use the same login details across multiple different sites. Of course, in many cases if a hacker has access to your email account then they have access to all your accounts, because this is where your registration details for different services will have been sent.
Yet the “give us your email username/password to add your existing friends on this site” routine is becoming more and more common. Twitter does it. So does Get Satisfaction, Linked In, Yelp, Plaxo, Ning, FriendFeed, Orkut, iLike. Hell, giants like MySpace and Facebook do it. They can’t all be wrong, surely? Jeremy Keith, technical director of user experience consultancy Clearleft, is unequivocal: “The message is being sent out that it’s okay to hand out passwords from one site on a completely different site. If – or should I say when – this practice becomes commonplace then phishing and identity theft become so much easier: it teaches people how to be phished.”
“That should be rephrased ‘has taught users how to be phished’,” argues Simon Willison, technical architect at Guardian News and Media. “The Facebook thing isn’t a smart way of connecting members, it’s a horrible precedent.” Indeed, it’s such a common design pattern that it’s often the only way developers consider for retrieving a list of contacts from your address book. But there are alternatives, the most lauded being OAuth. Alex Payne explains how it works for users authorising a third-party app with Twitter:
- You download a new Twitter client.
- You fire it up; it redirects you to twitter.com
- If you haven’t already, sign in to Twitter.
- If you trust the application, allow it to connect to your Twitter account.
- Bounce back to your Twitter client, which is now ready to use.
Payne says: “The Twitter API started out with an authentication model that used a web standard, HTTP Basic Authentication and allowed developers to get started without much fuss. But now that the community has spoken out in favour of a token authentication system, we’ve provided one.”
“Our beta testers reported it took minutes to get set up with OAuth. So unless you’re developing on a platform that lacks high-quality OAuth client libraries, it should be very easy [for existing third-party apps] to make the transition.” Despite the fact that Twitter is embracing OAuth for third-party sites to access their data, it still asks for email usernames and passwords to get into users’ webmail contact lists. Although Google, Yahoo and Microsoft all offer viable alternatives, there’s no word from Twitter that it’ll be changing its own bad practice on this front any time soon.
“[The need for] access to Google, Yahoo and Microsoft’s web-based email services is used as justification for the majority of instances of this password anti-pattern,” states Keith. “Now that they all offer alternatives, the only reason for abusers not to switch to using the official APIs is development time and priority.” OAuth is a step towards web users relearning the necessity of personal prudence and password hygiene.
Our friends at My Name is E are upgrading each of their services to use OAuth, where it’s available. “If the social network that we’re integrating with supports OAuth, we now use OAuth for sure,” Creten reassures us. “At the moment we have Twitter, YouTube, PICNIC, Soocial and Brightkite – they will all be transformed to OAuth services.”
Developers would be wise to seek out OAuth and similar solutions for their projects; for too long we’ve been taking the perceived easy route of using the “password anti-pattern”. Users have become completely vulnerable to phishing attacks, which deliberately exploit the very same design pattern. They don’t know any better: we’ve taught them not to question it, so we owe it to them to make amends.
How to remember passwords
Here’s an easy way to keep dozens of secure passwords safe in your head …
The most secure place to store passwords is inside your head. Unfortunately, it’s a pain to remember multiple passwords, so many people end up using the same username and password combination across a range of different websites.
A good password should be easy to remember but hard to guess. So how do you come up with a secure username and password combination that’s different for each site that you use?
The trick is to choose a single word or memorable key sequence, then apply a simple formula to it relative to the site you’re logging in to. It’s best to include a number for added security, and because some sites require a combination of both letters and numbers in a password. Here’s an example.
I’ll choose the word ‘artich0ke’ as my base password (I’ve replaced the ‘o’ with a zero), then modify it for each website I use it on by adding the first three letters of the service name. My Google account password would be ‘artich0kegoo’ and my Twitter password would be ‘artich0ketwi’, etc.
Try not to include any special characters in your password. You want your formula to fit all sites; needing to remember a different formula for each site defeats the point.
Bookmark with:
Comments
Lawrence / 27/11/2009 / 08:13 / http://www.architxt.net
Paul, thank you for this article!
It's about time the media put the spotlight on what is very bad practice: to ask people their login credentials to third party websites.
Look at what Facebook have to say in their terms:
"You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account."
But it doesn't stop them from asking people's Gmail, Yahoo and Hotmail logins via their Friend Finder function. Most social networks do the same, as you have pointed out.
The risk is that people get used to this and think it's safe. Until they do the same on some spoof social network and give awat their credentials.
I posed this question to Mozelle Thompson, a former TC Commissioner and a legal consultant at Facebook, who gave a talk at where I work. His answer was that it's a useful tool, that Facebook can be trusted and that ultimately it's up individual users to make that judgement call.
I've blogged about this last month: http://www.architxt.net/blog/new-media/is-facebook-helping-phishers-hack-email-accounts/
I wonder if webmail providers can stop this kind of practice their end. Perhaps they don't want to?
I've blogged about remembering passwords too:
http://www.architxt.net/blog/miscellaneous/remembering-password/
Jim / 27/11/2009 / 14:45
With the password scheme outlined in the article, if you know one sites password, other sites passwords are easy to guessed - it's no great leap to get artich0ketwi from artich0kegoo... So it's not really that much better than a single password!
rayna diane / 30/11/2009 / 16:12 / http://blog.raynadiane.com
i can and can't believe that My Name is E used people's twitter accounts for their own viral marketing campaign. i guess i should say, i don't want to believe it.
i definitely don't believe they "forgot" to turn off the campaign before they launched. they pushed the envelope to see how far they could go and then oh, we're sorry. shucks, did we do that? no, they knew.
think about how much stuff is on facebook about you, how much you reveal. and how many people are you friends with that you don't really want to be friends with but you are anyway and so they know about your life too. i don't even mark who i'm in a relationship with or who my parents are. if i want you to know that, you will. i realize you give up something of yourself just by being on one of those sites but i try to limit what i share as much as possible.
i think its hard to keep track of everything we do in this social media world but hold onto those passwords. my boyfriend doesn't even share his computer password with me nor does he know any of mine and if people won't share on such a personal level, why would you share it with a site you don't even know?
Martin / 30/11/2009 / 17:33
This is also a problem when using personal financial management apps, such as Mint.com.
Bank's web services Mint uses to sync the user's statement records with the app don't implement OAuth. So the user has to enter their credentials on the app (on Mint), and not on the bank's site. Even though the connection to the web service uses SSL (that is, is secure), Mint “knows” the users' credentials. That's a great security fail, isn't it?
This is another typical situation where OAuth is needed but not used.
Good article by the way!
Erik Swanson / 16/12/2009 / 21:11
Your little minihash method for how to remember passwords is almost as flawed as using the same password for every site.
A better way is to add a math element. Like Start with a long word like PICKLEDartich0kes. Then in place of the "0" put in the square of the number of letters in the domain you're visiting. So twitter would be PICKLEDartich49kes. Even better, come up with a simple formula that would be hard to parse, like 2(number of letters+9).
mike / 07/02/2010 / 16:57 / http://www.displayboothschronicles.com
hi Paul,
Good suggestion on how to have a unique but memorable password for each site. If people (i.e. Erik above :) ) are worried that is is too easy to crack, because "goo" is obviously google, hence for yahoo you would substitute "yah", well then, you could have your password, i.e. idi0t2010 and then add the letter after the last letter of the website, so for google it would be the letter after e which is f, and your password is idiOt2010f. Figure that one out, Erik! :)
Darn, maybe I just gave away my new password scheme. :D
mike
nigel / 23/02/2010 / 17:05
what annoys me is that talking to some technical departments of service providers they seem to know and have access to your password any way. so 1) they know your password and 2) if you have a system they can guess that too
