Monday, June 10, 2013

PSA: Use Different Passwords On Different Websites

Let's say you use Drupal software (or some other product, it doesn't really matter, but let's say it's Drupal),

  • and you have an account at drupal.org,

  • and the password you use on Drupal is the same password you use other places, like your email service (but not your bank, you're not stupid),

  • and you have also given that email address to other websites (say, for example, your bank... it's OK to give your email address to your bank).
Now, let's say Drupal is hacked (which it has been, see below),
  • and let's say the hacker got your email address (which they did),

  • and they got your Drupal password in clear text (which Drupal says didn't happen, but let's say they're lying),

  • and the hacker signs in to your email service with your email address and your email-same-as-Drupal password

  • and then he... it's politically correct to call evil-doers "he", isn't it? ...he changes your email password on your email service


  • so now he can read your email but you can't

  • and then the hacker takes a guess at which bank you use (and gets it right... there are only so many banks out there)

  • and he clicks on "Lost password?" on your bank website

  • and he gives them your email address

  • which the bank recognizes as a real customer email address (you)

  • so the bank sends out a "Password Reset" email to your email address

  • except it's the hacker that gets the email, not you,

  • and now the hacker signs in to your bank account and changes your bank password and, well, does other stuff.
Like clean out your account, apply for a line of credit, clean that out too, you know...

...banking stuff.

Maybe some identity theft stuff, too.

You thought you were safe, didn't you? You used a different password for your bank because your bank is "important" but all that other stuff (Drupal, email, etc), that's just "stuff", it's OK to use the same password for them, isn't it?

And you always use GOOD passwords, all go0fY-upPer-and-lowercase-and-d1g1ts stuff... what could possibly go wrong?

The solution: Don't use the same password on more than one website


BTW, PSA means "Public Service Announcement", which is what this has been.


from: Holly Ross-Drupal Association
reply-to: password@association.drupal.org
to: drupal-notify@drupal.org
date: Wed, May 29, 2013 at 4:01 PM
subject: Important Security Update: Reset your Drupal.org Password

Dear community member,

We respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about an incident that involves your personal information. The Drupal.org Security and Infrastructure Teams have discovered unauthorized access to account information on Drupal.org and groups.drupal.org. Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly.

This unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within the Drupal software itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.

We have implemented additional security measures designed to prevent the recurrence of such an attack, and to protect the privacy of our community members.

The next time you attempt to log into your account, you will be required to create a new password.

Below are steps you can take to further protect your personal information online. We encourage you to take preventative measures now to help prevent and detect the misuse of your information.

First, we recommend as a precaution that you change or reset passwords on other sites where you may use similar passwords, even though all passwords on Drupal.org are stored salted and hashed. All Drupal.org passwords are both hashed and salted, although some older passwords on groups.drupal.org were not salted. To make your password stronger:

* Do not use passwords that are simple words or phrases
* Never use the same password on multiple sites or services
* Use different types of characters in your password (uppercase letters, lowercase letters, numbers, and symbols).

Second, be cautious if you receive emails asking for your personal information and be on the lookout for unwanted spam. It is not our practice to request personal information by email. Also, beware of emails that threaten to close your account if you do not take the "immediate action" of providing personal information.

For more information, please review the security announcement and FAQ at https://drupal.org/news/130529SecurityUpdate. If you find any reason to believe that your information has been accessed by someone other than yourself, please contact the Drupal Association immediately, by sending an email to password@association.drupal.org.

We regret that this incident has occurred and want to assure you we are working hard to improve security.

Thank you,
Holly Ross
Drupal Association Executive Director


2 comments:

Anonymous said...

Use bank, that offer at least OTP (One time passwords via tokens/sms). Static passwords is obsolete technology today.

Breck Carter said...

@alexyk77: Excellent idea... I can set it up via Google Glass while I scoot around on my Segway! [grin]