I participated in a brief discussion on Twitter the other week about being careful how you choose your passwords. Passwords can and will show up in places you don’t intend. When that happens, you don’t want it to cause a problem. Here’s what happened to me once when I didn’t choose a password carefully.
Just because a password meets policy doesn’t mean it’s good
I don’t remember our exact password policy at the time, but it was something along the lines of 12 characters minimum, with at least two upper and lowercase letters, numbers, and symbols. It just happened that a typical e-mail address met the policy perfectly.
Using my previous e-mail addresses would have been easy to remember, but too easy to guess. So I wanted an e-mail address that wouldn’t be quite that obvious.
So I thought of someone I knew. His last name rhymed with “liar” and the guy never told the truth, even when he had no reason to lie. So I changed his last name and added a 01 after his new name. Boom. New password.
How my password turned into a security incident
It happened one Friday. I was minding my own business. I’d just gotten approval to deploy the month’s security updates, so I logged into one of the deployment servers, entered my credentials, and started deploying updates with the reboot suppressed. I got an immediate error on one of the servers, but I didn’t think anything of it. That happened sometimes and for random reasons. I’d circle back to that server after the rest of them completed.
And then I got the e-mail notification. Before I could even read it, my boss was standing over my shoulder.
“Dave?” he said in the questioning tone that always meant I was in a heap of trouble. You know that tone. You never hear it from anyone but your mother and your boss. Well, except when it’s your mother, it’s your full, proper name as it appears on your birth certificate. But I digress.
He didn’t wait for me to respond. “What are you doing?” There may have been a rude word or two between “what” and “are.” There probably was. I don’t remember which ones. Use your imagination.
“Deploying this month’s updates,” I said. “What’s wrong?”
What was wrong was there was a logon failure on that server that threw an error. There was an attempted logon from AlanLiar01@somedomainthatwasn’tours.org. And one of the security analysts concluded this guy was trying to log onto a random server of ours in Japan.
My boss visited the domain and immediately thought of me. Yes, the reason I knew this person was because I’d worked there and my boss had seen my resume a time or two. He told security it was probably something I was doing and he’d get to the bottom of it.
How my password ended up in a login field
The patch deployment tool we used was really good, but it certainly wasn’t bug-free. Whenever I deployed updates, I had to enter credentials for it to use to log into each server. Now the obvious conclusion is that I flipped my username and my password, except I hadn’t. I entered my password, then instructed the software to install all the missing patches on a big batch of servers. Probably at least 25. On 24 of them, the software logged in and started deploying updates. But on one of them, it flipped my username and password. The botched login led to all of that drama.
Security got a good laugh after I admitted it was me. I changed my password right away, and that was the end of it. My boss and security knew there was a guy named Alan I didn’t like, where I knew him from, and had a good idea why I didn’t like him, but in this case, that was the extent of the damage. It could have been worse.
So that’s why you want to be careful how you choose passwords. Even if you’re careful, something beyond your control can expose them, and you never know what conclusions they will lead someone to, or who they’ll offend.
That’s an advantage of random passwords. Random passwords probably won’t offend anyone, because they don’t mean anything. And when they end up in places where usernames belong, they look like passwords and don’t lead to security incidents.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.