Security firm falls victim to password reuse

There is a great deal of discussion at the moment in the security community about the conflict between a group calling itself Anonymous and the security firm HBGary Federal. I just want to highlight one technical aspect of this, the role that password reuse played in the take over of HBGary Federal and rootkit.org. Password reuse is the common practice of an individual using the same password for more than one account.

A member of Anonymous have been very forthcoming to the technical press about how they broke into HBGary Federal’s servers. In particular, there is a fascinating article by Peter Bright at Ars Techhnica providing many of the technical details.

The first step was to go after a lower security system on the victim’s network. From that they captured the encrypted passwords of many users of that system. The way those passwords were encrypted allowed weaker passwords among them to be discovered. In this case, two employees had passwords that were merely six letters and two digits long. With those passwords for that system the attackers could have done some damage to that lower security system, but instead they checked to see if those passwords got them into something more useful. As the article says,

Still, badly chosen passwords aren’t such a big deal, are they? They might have allowed someone to deface the hbgaryfederal.com website — admittedly embarrassing – but since everybody knows that you shouldn’t reuse passwords across different systems, that should have been the extent of the damage, surely?

Unfortunately for HBGary Federal, it was not. Neither Aaron nor Ted followed best practices. Instead, they used the same password in a whole bunch of different places [...]

The article continues to show how they were able to leverage those passwords (one which allows shell access to an important server and the other which allowed the attackers to get into everyone’s email accounts and masquerade as various people).

We can’t say that HBGary Federal would have been safe if only they had used strong unique passwords for every separate account. They faced highly motivated and skilled attackers who may have found another way in if exploiting password reuse weren’t an option. But this high profile case does show us once again password reuse does get exploited in the real world.

The case also shows that if you are still reusing passwords you are in good company. Even security experts sometimes slip up in this regard. Cleaning these things up can be a chore, but to make this chore easier you look at these tips about identifying duplicate passwords in your 1Password data. If you have a lot of passwords to update, don’t feel obliged to do it all in one sitting. Just make a dent at it every now and then.

Other posts in this series

  1. More than just one password: Lessons from an epic hack (August 19, 2012)
  2. Password reuse strikes again, and a bit closer to home at Dropbox (July 31, 2012)
  3. Friends don't let friends reuse passwords (July 12, 2012)
  4. On password breaches and security processes (June 6, 2012)
  5. Two thirds of web users re-use the same passwords (June 7, 2011)
  6. Tips: How to Find Duplicate Passwords (April 29, 2011)
  7. When websites are breached, 1Password saves the day! (April 14, 2011)
  8. Security firm falls victim to password reuse (February 17, 2011)
  9. xkcd Hits Nail on Head (September 14, 2010)
4 replies
  1. François Joseph de Kermadec
    François Joseph de Kermadec says:

    I agree 1Password is a wonderful application in a great many ways, especially in the light of this hack, and I would add we need to think about the human component, too. Can Agile Web Solutions know for sure that none of its employees practice password re-use?

    When it comes to Terminal or Finder, for SSH or SMB logins, 1Password cannot offer auto-fill and the temptation to reuse short passwords in these contexts is extremely high. Auto-fill is the key to low-friction use.

    I believe your post outlines the need for two extra features in 1Password:

    1. Offer system-wide auto-fill, a la TextExpander, knowing this would be a lower-security affair owing to the difficulty of auto-filling anything securely system-wide.

    2. Build the password duplication detection feature into 1Password by default. Special folders are great but users who care enough about password security to create them and make use of them are probably not using duplicates in the first place.

    Still, 1Password is indeed the best thing to have happened to security since Windows XP shipped with its firewall up by default… Keep up the good work!

    • Jeff
      Jeff says:

      François, you are absolutely correct, and we are looking for ways to do what you suggest. In 1Password for Windows we have a terrific auto-type feature that allows people to conveniently enter is password data from 1Password into pretty much any application. We are looking for ways to do this with the Mac.

      You are also correct that we have plenty of users who don’t follow this blog and aren’t going to specifically make use of smart folders to help find duplicates. We do need to find a way to reach these people to make it even easier to find and take care of duplicates.

      Exactly how we achieve these and when is not something we can say at this point, but your comments highlight things that we have been discussing internally.

      Cheers,

      -j

  2. Robert
    Robert says:

    I just imported passwords from KeePassX to 1Password, which included all of the backup entries. Now I need to go through and eliminate duplicates, merge multiple incomplete entries (each has some valuable information, but none have all of it), etc.
    Is there an easy way to do this? I’m considering exporting the 1password file as text, putting it in my favorite editor, and then (hopefully) re-importing it. However, I’ll lose the ability to sort on various fields.
    What do you suggest?

    • Jeff
      Jeff says:

      Hi Robert,

      Particularly after an import, there will be lots of tidying to do. I spent some time following my own advice over this past week and went through passwords that I’ve had for more than 10 years. (Most of those sites I haven’t used for ages, and several do not exist any more.) Before discovering 1Password several years back, I went though a number of password management schemes, including several of my own making; so I had a terrible mess of things to go through. That was all a lead into my first piece of advice: Don’t expect to take care of everything at one sitting.

      We posted a little while ago about some tips using smart folders in 1Password: http://blog.agile.ws/easily-find-duplicate-passwords-in-your-logins/

      And in one of the comments there, Jamie Thingelstad posted a link to instructions that he wrote up on the topic: http://thingelstad.com/good-passwords-with-1password/

      One thing to keep in mind as you update your passwords on websites is to keep those changes in sync with what 1Password knows about the login. So take a look at our tutorial about changing passwords: http://help.agile.ws/1Password3/change_password.html

      Finally, I’d like to return to my initial point. Don’t get overwhelmed by the process. You will be using some fairly advanced features of 1Password, and as a new user it may be a lot of learn all at once. So take it slowly until you become more comfortable with the tools.

      Cheers,

      -j

Comments are closed.