Sophos Cloud Optix
Repeat after me: You should not use the same password on multiple websites.
That’s an important lesson that thousands of bloggers are having to learn the hard way, after an extraordinary story broke in Sweden that involves Twitter, politics, password security and allegations that members of the national media were being spied upon.
Here’s the facts that we know so far.
Right-wing MP William Petzäll left the Sweden Democrats (SD) party late last month, announcing that he would be an independent member of parliament.
The news came following a very public struggle Petzäll had had with alcohol and prescription drug abuse.
Earlier this week, the 23-year-old politican was forcibly committed into care against his will, as he was deemed to be at risk of harming himself or others.
So far, nothing to do with computer security.
But yesterday, messages began to appear on William Petzäll’s Twitter account making the explosive accusation that SD leader Jimmie Åkesson and party secretary Björn Söder had hacked into the email accounts of Swedish journalists and their political opponents.
I can tell you that Söder and Åkesson had full access to everything that AB (Aftonbladet) and Expressen reporters had in their email for numerous years.
The messages on Petzäll’s Twitter account continued to produce “evidence”, publishing the email addresses and passwords (in the form of MD5 hashes) of leading journalists.
William Petzäll’s lawyer said that his client was not making the Twitter postings, and that he did not have access to the internet where he is hospitalized. In other words, the story from the Petzäll camp is that an unauthorised person has taken over the troubled politician’s Twitter account and making the controversial tweets.
But then things got even worse.
More than 90,000 passwords and usernames associated with the popular Swedish blog portal, Bloggtoppen.se, have been released – making it easy for anyone to break into accounts belonging to newspaper journalists, politicians and journalists.
Things wouldn’t be so critical, of course, if people weren’t using the same passwords on multiple websites.
A stark message currently greets visitors to Bloggtoppen:
Bloggtoppen is closed until further notice for system maintenance due to alleged hacking.
Unknown perpetrators have come across our user database containing usernames, email addresses and hashed passwords. This means that if you have used the same login information for other services on the web, it's likely these accounts could be hijacked. We recommend all users to immediately change the password on all accounts that use the same login information as here.
Further information will be forthcoming when we have had time to investigate and resolve the interference.
Today, the Aftonbladet newspaper has reported that a further 57 other websites have also been hacked, and the login details of up to 200,000 people are at risk.
This story is likely to run and run, but what’s important is how internet users respond to the news now. If you’re a computer user – whether you’re Swedish or not – it’s time to learn to use different passwords for different websites.
If you think you won’t be able to remember different passwords, use secure password vaults such as KeePass or 1Password.
Re-using passwords is a security disaster waiting to happen – because if your password gets stolen in one place, your whole online identity may be at risk.
Is LastPass too OK to use? Or does it have any risk?
The risk using these programs are the way the html form input components are named. For instance, if a site does not use normal naming procedures then the login form is auto filled and submitted and your password would be sent to the server in plain text and anyone who can view the web logs of the server can see the password then figure out your login from the next few entries. In other words, there is a real danger that the login and password can get reversed in the form and auto submitted with some of these type apps. Keepass or Keepassx does this on some sites. As oppose to keeping up with your own passwords which allows you to eliminate the middle man.
The best and easiest program to secure and remember your passwords is called Roboform. It not only encrypts and remembers you passwords, it enters them when requested based on the website you're visiting. I've been using it for years. Read about it at Cnet's Download.com where it has a rare 5 star rating by both the editors and users. Highly recommended. http://download.cnet.com/RoboForm/3000-18501_4-10…
Lastpass is encrypted and works well for me. 😀
I agree with intrepid, why wouldn’t you mention RoboForm? RoboForm is definitely the best password manager, I feel like that is something that everyone knows.
Here's an easy way to have multiple different passwords
1) Chose a password. ie: password
2) Add a capital, number, and symbol. ie: Password1!
3) Add the site name, or nickname for the site it's for. ie: Password1!Twitter. Password1!Google
Unless your twitter and google accounts are hacked, and moreover someone notices you've used the same password but with different sites appended, you're much safer than relying on a single password.
I wouldn't recommend that. If someone works out your formula, you're screwed. Use password management software instead.
Equally if someone captures a single password they can deduce passwords for other sites very easily. Password management software is definitely the best option.
I'm using Password Safe and I always worry when people recommend KeePass in its stead. Am I missing something ?
1Password is excellent: you choose what you input, where and how. It handles a lot of other personal info as well, and is available for OSX (Mac) and iOS (iPhone and iPad).
Linux_Hacker has a point, but using a good password app and avoiding sloppy websites makes a big difference, as does encrypted ("secure") browsing.
Whatever you do, there is a risk, but currently the biggest risks are people reusing passwords, using weak passwords and not protecting their password data.