The Astros and Password Hygiene

Earlier this week, the New York Times reported on the FBI investigation of the Houston Astros’ compromised database and the current suspicion that the culprit are none other than the St. Louis Cardinals. The hacking of Houston’s proprietary in-house information sharing system, called Ground Control, caused major waves last year when Deadspin published excerpts from their internal discussions about players and trade negotiations. The Astros ended up with some egg on their face, and Jeff Luhnow was quoted as saying he was avoiding electronic communication during the early days of the known leak for fear that the Astros’ systems remained unsecured.

What is so shocking about the (alleged) penetration of the Astros’ systems by members of the Cardinals’ front office is that it does not appear to be a high-tech hack: according to the NYT, the likely intrusion vector was Astros’ general manager Jeff Luhnow’s own user credentials, which reused the same password that he had formerly used to access the Cardinals’ own proprietary system (codenamed Redbird) when he worked there.

Targeting credentials of users who reuse the same password to access multiple systems is a popular method of hacking. A surprising number of smart, highly-placed individuals (like Luhnow) often don’t perceive the risk that they take by using the same password across multiple accounts. Hackers look for sites and apps that have poor password security, steal the passwords from those less-secure places, and then test the passwords against higher-security systems. Some examples of poor password security practices include storing passwords in plain text in the database, not encrypting passwords with a one-way hash where the password can’t be taken back out of the database, or using an inexpensive encryption method that can easily be broken by throwing computing power at the problem. (The Cardinals were allegedly able to pull Luhnow’s password out of the database, so Redbird’s passwords were likely either stored in plain text or encrypted using a less-safe two-way encryption technique.)

Reusing passwords across multiple accounts is an example of poor “password hygiene”. As email addresses become increasingly popular as usernames, it has become easier to guess one half of the username-password credentials pair for a user of a site or application. The most effective strategy for proper password hygiene is to use a unique password for every account you have and to use a password manager to securely store those credentials. I use 1Password because it works on Mac, PC, iOS, and Android and stores credentials on my own devices rather than on someone else’s server, but there are plenty of other popular solutions such as LastPass, KeePass, and Dashlane.

An additional strategy for improved security is two-factor authentication (2FA). The idea behind 2FA is that you authenticate yourself with “something you know” (your password), and “something you have” (your phone). The second part can be a text message that’s sent to you when you log in, or a special code that is generated every few seconds that you can use as a sort of second password. Those special codes are generated using a hardware device (if you’ve ever seen an RSA keychain token, that’s an example of hardware 2FA) or by a software app such as Google Authenticator or Authy. 2FA helps protect you against someone stealing your password, because unless they also have your mobile phone, they can’t get into your accounts. Many sites feature 2FA as an option, and the list continues to grow.

My last piece of advice is to rotate passwords on a regular basis. 1Password reminds me when a given password has been in use for too long, and I can go ahead and change it. (It even flags accounts that have had reported breaches, which is a great help.) If Jeff Luhnow had been rotating his password regularly, even though the Cardinals (or whoever the bad guys were) started out with his credentials, they would have lost access whenever he rotated, which helps stop the bleeding of confidential information.

If you think you’re not important enough to be hacked, it can be an ugly surprise to discover that hackers target everyone. The consequences of sloppy hygiene could be your bank account being drained, your Gmail messages or your wedding photos being deleted, or your Facebook account being seized. These things happen to “normal” people every day. The additional effort for a little bit of extra security goes a very long way. The bad guys are often looking for the easiest targets. Making yourself a little harder to attack is the first line of defense.