Exposed Christians a reminder for the use of multiple site passwords

Hackers broke into the Singles.org site last weekend, not only defacing user profiles but also using their oft used username and password combos to potentially gain access to other personal and financial info.

A Christian singles Web site called Singles.org was infiltrated by hackers last weekend, reportedly absconding with the secret passwords of over 9,000 of its users.

The breach has widely been blamed on the Web site’s security system, which has been described by one outraged blogger as “pathetic… such rampant incompetence that it's in a word, criminal.”

Trend Micro Australia’s David Peterson’s diagnosis was along the same lines.

“Basically, the site was written with no real security on it at all... In this particular case, the term “hack” is probably being a little bit overgenerous to the technical skills of the people involved.”

Peterson explained that, due to the site’s lack of proper authentication protocols, it would be quite easy for anyone to just “hop” from their own account to somebody else’s, armed only with the knowledge of that person’s user ID.

“And that user ID is just a sequential set of numbers. So if your user ID was 10001, if you changed the URL to refer to when the page might be “Edit My Profile ID= 10001” and changed the number to 10002, suddenly you’re inside someone else’s page.

“And to compound matters, the passwords and email addresses are stored in plain text, so it was a simple exercise [for the perpetrators] to just go through all of them and pick out every single one of the emails.”

As a direct result of this, user accounts on the site were compromised and profile pages vandalized.

But according to Peterson, this defacement of people’s profile pages is merely the tip of a dangerous iceberg.

“The problem is that email addresses are commonly used as logins, and people tend to reuse the same logins and passwords for multiple other sites. So, once a hacker gets hold of details via an easily accessed site such as this Singles.org one, it can lead to large credit card bills, strange or offensive emails, and private information being circulated globally.”

According to Peterson, a good, prudent piece of management is to consider having more than one email address and password in operation: “A lot of people have a work email address and a home email address and possibly a Hotmail address as well. Try to keep yourself compartmentalized -- so if you’ve got your social applications which are tied to an email address, do make that different from the email address and password -- at the very least the password -- that you might use for something financial.

Passwords are regarded as an inconvenience, but when there’s money at stake, do regard that as security and do have different passwords so you’re not exposed to this sort of level of compromise.”

Indi Siriniwasa, ANZ sales director at security firm F-Secure, echoed Peterson’s words, saying there is no excuse for having the same username and password for multiple accounts. “It is stupidity more than anything else,” he said. “It is good practice to have a unique password -- and not names and birthdays—for different log-ins.”

He also said that, when it comes to passwords, size does matter: “We [F-Secure staff] have 14 digits for everything, which is hard to crack -- and has nothing to do with your day to day life.“

The longer the password the harder and longer it takes for password cracking algorithms to be effective, and the greater your chances of staying safe, he said.

Peterson said the best approach is to have three separate sets of passwords, one each for business, finance and recreation. While he acknowledges this may be difficult for some people to remember, he suggests having a different “theme” for each set of passwords as a helpful way for users to remember them, but also to remember to keep them separate.

“Don’t recycle [passwords] between those three compartments because if someone has your password for Facebook today, it might not be your company password today, but it may be tomorrow… Multiple email addresses are not a bad idea, but multiple passwords are the most important thing.”

He believes this is something IT Managers should make very clear in their internal policies; that the passwords employees use for their work, which they may be using to access their corporate intranet remotely through VPN, should not be used on the Internet for anything else.

“Because then you risk compromising your company as well, which is not going to make anyone popular… As well as keeping a separation between social and financial, also do keep a separation between work and play.”

"It’s a hard lesson learned for these 9000 or so people. Password access alone is simply not enough to secure a Web site… The key thing is, if you’re putting something out there on the Internet, you always have to be considering security.”

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags hack

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Emma McKinnon

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?