Here, Have the Keys to My Whole Life

October 1, 2009 - 2 Comments

The web was all in a ruckus in late August, 2009.  Embarrassing screenshots of many Facebook accounts echoed, prompting questions of veracity and user adherence to basic security principles.  In fact, everything actually happened last February.  According to Jimmy Ruska’s detailed analysis of the incident, a Christian singles website accidentally allowed the email addresses and passwords of their entire 35000-strong userbase to be exposed.  Many of the users of this singles website used the same password for all of their online accounts.  This enabled the infamously malicious users of 4chan, an online forum that offers and encourages anonymous posting, to access the email, social networking, e-commerce and online payment processing accounts of the members of the site.  The Register has coverage of the attacks, although they neglect to mention when the attacks actually occurred.

This incident highlights how much risk you are taking whenever you use the same credentials at multiple websites.  With many websites using either your email address as your login name or offering password resets via email, it only takes one unintended exposure of its database of login credentials by one website for a potentially significant portion of your life and identity to be stolen and used by miscreants.  Read on for more details about the risks of re-using passwords or using passwords that are easily guessable, and for helpful advice on how you can reduce the risk to you and your business by managing unique passwords or using two-factor authentication.

It is standard procedure among many web services to use your email address which, in effect, constitutes a unique username.  This includes everything from social media, e-commerce, online payment processing and customer relationship management.  Your whole online life, and thus your identity, is linked together by your email address — assuming that you use the same address for all services.  That’s a lot of passwords to remember!  It’s no wonder that people will often have a single “throw away” password for sites they consider unimportant or, worse, just one password that they use everywhere.


Login Screens at Popular Websites

Login Screens at Popular Websites

When you use the same password on more than one web service, you are relying on each and every one of those services to protect your password.  If, somehow, your password is leaked by even one of those websites, your whole online identity is potentially compromised.

The consequences of having your online identity compromised are not limited to traditional identity theft.  Consider the case in the introduction of this post.  For something fun to do on a chilly winter Saturday night, some of the users of 4chan invaded the privacy of a large number of strangers with whom they have differing opinions and publicly humiliated them.

The humiliation was compounded by the online tormentors’ access to their victims’ email accounts.  Many, if not most, online services will allow you to reset your password by email, working under the assumption that you are the only person in control of your email account.  With control of your email account, someone can gain control over the rest of your online accounts, whether you used a good password or not.  In at least one case of the 4chan incident, details of a very personal purchase were shared with the victim’s friends, crossing the line between the fictional and the actual and humiliating the victim.

Cisco Security Intelligence Operations was able to unearth a copy of the password file that was allegedly stolen from the singles website.  To preserve the privacy of the individuals with accounts in the file, no human looked at any of the email addresses.  An analysis of the passwords in this file reveals that a significant number of the users of the singles website in question were putting themselves at risk by using exceptionally weak passwords.  After some basic smoothing of the passwords, removing obvious things like numerals tacked on to the end of dictionary words, 1,701 (4.5%) of the 37,543 unique accounts had one of the ten most frequent passwords.  The twenty most frequent passwords, covering 6% of the accounts, were either entirely numerals starting with 1234 or 7777 or biblical references.

So how can you protect yourself?  Make your passwords difficult to guess, but not too difficult for you to remember.  Google provides some useful guidelines for creating a secure password that should not be too difficult to memorize.  Among other things, they suggest choosing an acronym and replacing letters and syllables with similar symbols.  For instance, if you go a bit silly with Google’s guidelines you can turn “This is a secure password, but it is too obvious” into “t1@5pbi20,” which is memorable, if a bit difficult to type.

If you are not the embodiment of Dustin Hoffman’s character in Rain Man, it is understandable that it would be difficult to remember a different password for every website that you visit.  If you prefer low tech, you can always write down your passwords in a notebook that you keep in a safe place. While this goes against some of the traditional password safety doctrine, you are more secure doing this than you are if you use the same password in multiple places.

For a slightly more high tech but less portable solution, you can use the password manager in your web browser.  Be sure to use a master password to keep your passwords safe — if your computer becomes compromised by info-stealing malware, all of your passwords will be immediately compromised.  There are plenty of encrypted password management solutions available, such as Mozilla Firefox, Password Safe and 1Password.

For the ultimate in high tech, you can use Stanford PwdHash, a website and Firefox extension that generates theft-resistant passwords.  While we do strongly suggest using multiple passwords, if you really want to, you can use one password for everything and PwdHash will reduce the risk of your other online accounts being compromised if one site leaks its theft-resistant password.

You wouldn’t use the same key for your house, your car, your office, your bicycle and your safety deposit box.  If you gave your key to a valet and they made a copy, your whole life could be stolen from you.  Don’t do the same with your online identity and your passwords!

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Web sites that store passwords in plain text should be held criminally liable for this breach. In this day and age, there is no excuse to store a plaintext password.

  2. I’d call these chaining attacks very common, but now asking people to remember multiple passwords seems to encourage writing them down. Especially when you think about change requirements, clearly a better more thoughtful approach is needed.