There is a great deal of discussion at the moment in the security community about the conflict between a group calling itself Anonymous and the security firm HBGary Federal. I just want to highlight one technical aspect of this, the role that password reuse played in the take over of HBGary Federal and rootkit.org. Password reuse is the common practice of an individual using the same password for more than one account.
A member of Anonymous have been very forthcoming to the technical press about how they broke into HBGary Federal’s servers. In particular, there is a fascinating article by Peter Bright at Ars Techhnica providing many of the technical details.
The first step was to go after a lower security system on the victim’s network. From that they captured the encrypted passwords of many users of that system. The way those passwords were encrypted allowed weaker passwords among them to be discovered. In this case, two employees had passwords that were merely six letters and two digits long. With those passwords for that system the attackers could have done some damage to that lower security system, but instead they checked to see if those passwords got them into something more useful. As the article says,
Still, badly chosen passwords aren’t such a big deal, are they? They might have allowed someone to deface the hbgaryfederal.com website — admittedly embarrassing – but since everybody knows that you shouldn’t reuse passwords across different systems, that should have been the extent of the damage, surely?
Unfortunately for HBGary Federal, it was not. Neither Aaron nor Ted followed best practices. Instead, they used the same password in a whole bunch of different places […]
The article continues to show how they were able to leverage those passwords (one which allows shell access to an important server and the other which allowed the attackers to get into everyone’s email accounts and masquerade as various people).
We can’t say that HBGary Federal would have been safe if only they had used strong unique passwords for every separate account. They faced highly motivated and skilled attackers who may have found another way in if exploiting password reuse weren’t an option. But this high profile case does show us once again password reuse does get exploited in the real world.
The case also shows that if you are still reusing passwords you are in good company. Even security experts sometimes slip up in this regard. Cleaning these things up can be a chore, but to make this chore easier you look at these tips about identifying duplicate passwords in your 1Password data. If you have a lot of passwords to update, don’t feel obliged to do it all in one sitting. Just make a dent at it every now and then.