Passwords: The Biggest Lesson from the Twitter Hack
If you use a Twitter, go online, or have ears, you've probably heard all about the Twitter hack a week or so ago. Nic Crubilovik of TechCrunch, who has been corresponding with the responsible person, has shared the details of the hack.
This wasn't one of those sophisticated, sexy hacking attempts that Hollywood likes to make movies about. No, this was a simple game of hack the password. First, the hacker used the "forgot password" feature on Gmail, which told the hacker that the password was being sent to the user's backup email account: xxxxx@hxxxxxx.com. The hacker correctly guessed that the email was going to a Hotmail account, and headed there to try to log into it. This is when his luck really kicked in:
This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.
More often than not, if you hack one password, you've hacked them all. Right? Raise your hand if you use the same password for three or more online services. Okay, put them down; I can't actually see them.
We've written about the importance of good password habits before. The truth is, very few people are going to be motivated to hack into our accounts. But if they are, don't make it easy for them. Create smart passwords, then make sure you create different one for all your services.
