Exposed Christians a reminder for the use of multiple site passwords

Hackers broke into the Singles.org site last weekend, not only defacing user profiles but also using their oft used username and password combos to potentially gain access to other personal and financial info.

A Christian singles Web site called Singles.org was infiltrated by hackers last weekend, reportedly absconding with the secret passwords of over 9,000 of its users.

The breach has widely been blamed on the Web site’s security system, which has been described by one outraged blogger as “pathetic… such rampant incompetence that it's in a word, criminal.”

Trend Micro Australia’s David Peterson’s diagnosis was along the same lines.

“Basically, the site was written with no real security on it at all... In this particular case, the term “hack” is probably being a little bit overgenerous to the technical skills of the people involved.”

Peterson explained that, due to the site’s lack of proper authentication protocols, it would be quite easy for anyone to just “hop” from their own account to somebody else’s, armed only with the knowledge of that person’s user ID.

“And that user ID is just a sequential set of numbers. So if your user ID was 10001, if you changed the URL to refer to when the page might be “Edit My Profile ID= 10001” and changed the number to 10002, suddenly you’re inside someone else’s page.

“And to compound matters, the passwords and email addresses are stored in plain text, so it was a simple exercise [for the perpetrators] to just go through all of them and pick out every single one of the emails.”

As a direct result of this, user accounts on the site were compromised and profile pages vandalized.

But according to Peterson, this defacement of people’s profile pages is merely the tip of a dangerous iceberg.

“The problem is that email addresses are commonly used as logins, and people tend to reuse the same logins and passwords for multiple other sites. So, once a hacker gets hold of details via an easily accessed site such as this Singles.org one, it can lead to large credit card bills, strange or offensive emails, and private information being circulated globally.”

According to Peterson, a good, prudent piece of management is to consider having more than one email address and password in operation: “A lot of people have a work email address and a home email address and possibly a Hotmail address as well. Try to keep yourself compartmentalized -- so if you’ve got your social applications which are tied to an email address, do make that different from the email address and password -- at the very least the password -- that you might use for something financial.

Passwords are regarded as an inconvenience, but when there’s money at stake, do regard that as security and do have different passwords so you’re not exposed to this sort of level of compromise.”

Indi Siriniwasa, ANZ sales director at security firm F-Secure, echoed Peterson’s words, saying there is no excuse for having the same username and password for multiple accounts. “It is stupidity more than anything else,” he said. “It is good practice to have a unique password -- and not names and birthdays—for different log-ins.”

He also said that, when it comes to passwords, size does matter: “We [F-Secure staff] have 14 digits for everything, which is hard to crack -- and has nothing to do with your day to day life.“

The longer the password the harder and longer it takes for password cracking algorithms to be effective, and the greater your chances of staying safe, he said.

Peterson said the best approach is to have three separate sets of passwords, one each for business, finance and recreation. While he acknowledges this may be difficult for some people to remember, he suggests having a different “theme” for each set of passwords as a helpful way for users to remember them, but also to remember to keep them separate.

“Don’t recycle [passwords] between those three compartments because if someone has your password for Facebook today, it might not be your company password today, but it may be tomorrow… Multiple email addresses are not a bad idea, but multiple passwords are the most important thing.”

He believes this is something IT Managers should make very clear in their internal policies; that the passwords employees use for their work, which they may be using to access their corporate intranet remotely through VPN, should not be used on the Internet for anything else.

“Because then you risk compromising your company as well, which is not going to make anyone popular… As well as keeping a separation between social and financial, also do keep a separation between work and play.”

"It’s a hard lesson learned for these 9000 or so people. Password access alone is simply not enough to secure a Web site… The key thing is, if you’re putting something out there on the Internet, you always have to be considering security.”

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags hack

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Emma McKinnon

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?