Default Passwords When Common Are Dangerous: Get Rid of Them Now
» Email someone you know about this article.
Default password on your account or email? Default passwords on other people’s email or accounts and you’re in charge? Force a change on all of them. Now. The danger is too high to wait. Really dangerous. Literally, the kind of danger where you need ambulances and the police.
The Mayor of Los Angeles used to read the emails of many people. That was over a year ago. I don’t know if he ever did anything inside anyone else’s account other than read emails, like if he ever sent anything or changed settings. The city had switched to a new email provider, Gmail, and Gmail’s Google set up the accounts, giving everyone who worked for the City a default password. The same password.
UPDATE: The City of Los Angeles has written me. In its letter of , it says the City’s “password controls are functioning and are preventing the concerns that you raised in your letter.” That’s good news and I’m probably not entitled to more detail about their controls. This article goes farther than the letter did, but the letter covered much and that may be adequate. I hope so. The information in this article still applies to other institutions in which passwords are widely the same and widely known.
Having the same password is okay when you’re setting up the system. Like if you’re building an apartment house and while you’re building it all the doors take the same key while the paper hangers finish the wallpaper. Making them all the same lets people have fewer keys, reduces mistakes, saves money, and keeps you on schedule. But when everyone gets their own account, or their own apartment, before going live the new holder must change the default password (or key) to something no one else has, or that’s so rare it’s not worth anyone’s while to try the ones they have.
The problem is that 92% of these email users did not change their default passwords. They could have, but they didn’t. The 92% all had the same password. An interviewer quoted the exact password to the Mayor (probably case-insensitively). This was broadcast on radio. The Mayor publicly confirmed the password. The Mayor said he reads their emails. All of this was broadcast across the nation and into two foreign nations. That’s the emails of over 46,000 people. That’s ridiculously bad.
Can’t they keep the password a secret? One didn’t and it was broadcast. It only took one. And Benjamin Franklin had advice about that. He said that three people can keep a secret if two of them are dead. And we’re talking about over 46,000 people.
Seven and a half billion people, give or take a few hundred million, live on Earth. Some don’t have Internet access. All the rest can hack into all of those emails. We can roughly estimate that four billion people can turn your life upside-down.
You’re not in La-La Land? Doesn’t matter. If you work in New Pebble and they’re using default passwords, stop. Fix it.
It’s likely the Mayor had not studied IT security much (and did not need to) and did not anticipate the consequences of his confirming the password and the model set by his actions. He was well-educated in some subjects and IT security was not much more or less his responsibility than everything else done by the city government under him, in other words, not much. But that didn’t matter. That’s exactly why he had someone who knew the subject and could tell him. Either the problem was solved independently, they didn’t tell him, or he didn’t act properly on it. If they didn’t tell him when it mattered, he should ask why they didn’t. Some people try not to tell their boss bad news. The boss is left in the dark and often stuff gets worse.
I was surprised at the content of the broadcast interview when I listened to it, and I knew it was a security problem, but I didn’t think of most of the implications until beginning to prepare an article. It is alarming.
This applies to all kinds of accounts, including email, retail, personal, business, government, health, banks, discussions, social media, news subscriptions, and cat videos. Many of them allow activities people don’t realize are available. The hackers will realize it. If they latch onto your account, too bad for you. And too bad for a bunch of other people, too.
I’m saying “password”. This applies equally to anything like it, such as a PIN, passphrase, passcode, passkey, or authentication token secret, generically a secret authentication token. Whether that token is generated by machine or human or how long it’s valid doesn’t matter. Whatever. If it’s the same as everyone else’s, get your tools.
Similar situations may occur elsewhere. A Florida water plant had various employees who used software for remotely accessing the system. All of them used the same password. Someone hacked into the system and added lye, a poison, to the drinking water for thousands of people at their homes, except that someone saw the poison coming and stopped it in time. But it shouldn’t have happened in the first place. One view was that accountability was lowered just because of the shared password. In an earlier incident, usernames and corresponding passwords were published in a PDF for all authorized users to share, and the PDF was posted on the Web where the public could read it. This was also in Florida, but similar practices can probablhy be found in all other states and nations.
Is It Dangerous?
Danger!? Yes. Here are some, when everyone’s account has the same password and someone, even someone else without telling you, has made it public:
1. Terrorist organizations can use your account to send and receive emails creating their plots and working out the getaway, and also erase the emails so you don’t see them. They can sit in any country and hack your stuff. ISIS under various names can have a ball. If we’re lucky, you’ll be caught. You’ll honestly deny everything, but you may spend a year in maximum security solitary before a judge sort of believes you and lets you raise bail.
2. Organized crime can do the same thing. Mafias and street gangs like MS-13 might enjoy your email, the one where you give your address. Too bad Joe was murdered and left a widow and two young children. Your front page mug shot will sell more papers the morning of your arrest.
3. A coworker secretly hates you and wants you gone. Why are you sending your boss’s colleagues insulting emails every Friday afternoon? Your boss told you to stop and he’s had it with your denials. You’ll be escorted by security. If you have any questions, call Human Resources and don’t come back.
4. Child pornography can be sent around, as attachments under workers’ names without their knowledge. There are people who are not satisfied with one or two; they keep hundreds of photos on their machines. They can’t say they just slipped. They won’t bother deleting the porn from your account, since it’s not their account. If you discover it and try to delete it, on many computer systems that won’t work, because even deleted child porn is still there. Prosecutors know how to prove that you were storing and distributing it. Yeah, all the predators deny it.
5. Teens like music, don’t have a ton of money, and think their music wants to be free. They can attach song files to emails from your account and send them everywhere. You’ve never met the kids but copyright infringement facilitation gets you a civil suit anyway. The settlement may be for your savings, your house, and your wedding ring. Maybe you could give your house to Mom and rent it back, but you probably have to arrange that with a lawyer before you’re sued.
6. Love notes might be worth looking at as evidence of sexual harassment, but, if they’re real, the parties could be entitled to privacy. However, should the National Enquirer or your office bulletin publish some, the privacy argument could become moot, except for a lawsuit against the organization and you, especially a lawsuit from someone who is not negligent with their password if you are.
7. Anyone could pimp or harass females by sending emails as if the females had sent them themselves (akin to “for a good time email me”). They could do it as if from males, but more johns believe it when they see a female soliciting. They believe they’re entitled. Some are violent.
8. Another version: People send out messages saying I’m so-and-so and I want you to come to my home Friday night and beat me up, and don’t believe me if I say no. Yes, they show up, ready to rumble, and somebody at home has to talk fast and be believed. You said not to believe you, didn’t you?
9. Curious hackers with nothing better to do from their couches could give you headaches. Some are called script kiddies because they’re kids having fun and they use scripts to automate all kinds of mayhem. It’s your account. That doesn’t bother them. They email each other about the latest hack they did to one of you.
10. School students tend to care about grades. It is scientifically proven that your children are angelic, but it seems some children are less so. If they can break into the school’s system, they could change a failing grade into a passing grade. But that’s okay, because they’ll learn the subject next year. Or maybe the year after. Oh, by the way, they could change your own child’s grade from passing to failing. Unless no kid is that mean.
11. College grades: Same thing.
12. Teachers’ evaluations by a principal: Same thing. The principal didn’t understand.
13. Bob uses your account to email Billy with a plan to rob a bank. Billy says yeah and they do it. You just became a co-conspirator. You didn’t get a cent, but they think you were stupid, not innocent.
14. Ransom seems unlikely, but it isn’t. Ransomware is used against medium-sized sites, like those of small companies. If one assumes that a ransomware attack against one email account at a time is too inefficient and too costly for the attacker, that misses anyone who’s willing to create an app to go into many email accounts one by one and try the revealed password, then change the password to one known only to the attacker and demand ransom. The attack might fail because workers are not likely to shell out on behalf of their employers’ accounts, but the attacker could have miscalculated about the response and not realized it until the accounts are already locked up. Failure may not inspire the attacker to take the time to restore the accounts, but only to disappear. Many ransomware attacks appear to come from foreign nations, limiting your ability to get help from law enforcement. They’d have to go through a lot of rigmarole and they won’t.
15. A big cheese, not one of your people, is negotiating a deal with your side. The deal will be so big it’ll be in all the newspapers when it’s signed. The big cheese’s staff could read your side’s internal emails to find out your bargaining position. I doubt your side could, either physically or legally, crack into the big cheese’s email accounts. So the big cheese would enjoy an advantage over you. The big cheese would know your bottom line but you wouldn’t know theirs. This is true of anyone bargaining a contract with your side. Even little itty-bitty contracts. Even agreements that aren’t contracts. Even gossip. You know what a bargainer can do with gossip about you?
16. You’re planning a lawsuit or a criminal case. You could be an attorney on either side or a client. You’ve got emails about the evidence, the damages, the strategy, the vulnerabilities you don’t want the other side to hear, the surprise schedule, the subpoenas you’re thinking about sending, and the bottom line in settlement talks when not even a court is supposed to know about what goes on in those talks, with attachments. A list of witnesses could be threatened that if they go to the courthouse their family will be murdered, or a key witness could be bribed or blackmailed. A document could be made to disappear or made unreliable. Someone reads your emails and tells the other side’s lawyer. You don’t mind, do you?
17. Privileged emails probably lose their privilege if the parties didn’t act prudently to protect their secrets. For example, an email between a lawyer and someone communicating confidentially with that lawyer being readable by anyone, if either party knows that anyone can read it, means that the confidentiality is probably lost. Not just because the information leaked, but because efforts to prevent the information from being used in court will be denied by a judge. Privilege generally covers communications between spouses (called by lawyers husband–wife privilege), between attorney and client, between minister and follower (referred to as priest–penitent privilege and covering any faith), between doctor and patient, and maybe between some other people like psychologists or social workers and their clients (this may vary among states).
18. If you email a legal notice to a party who’d rather not get it, or something as seemingly neutral as a schedule, the party could go into your account, delete your copy of the email, and then claim that you never sent it. It might be the organization’s policy not to email legal notices, and that might be a good policy, but an office might be doing it anyway because of its own needs. A court might decide that what the agency sends is legal notice, and then the policy wouldn’t matter. If the recipient claims nonreceipt and you say you sent it and stand firm, you might not think to ask for proof from a backup, until so much time has elapsed that a particular backup is no longer in existence. Given common practice, that might be in just a month. Likewise, mirrors might be infected by the unauthorized deletion, and that could occur in a day or just a few hours. The other party is lying, but you can’t prove it. And if you want to send it again and make a paper record you’ll put in a vault, your new notice might be too late to be valid. The liar wins.
19. You emailed your therapist about last week’s meltdown. Oh, that’s juicy. Everyone at the water cooler suddenly shuts up and stares when you walk by.
20. You emailed your doctor about your itch. Your boss texts you to go home. How’d they know? Never mind. Dinner invites are mysteriously canceled. Of course, you still have your job and your health coverage, right up to the minute your replacement is hired.
21. If you have a health office and records are supposed to be confidential, they aren’t now. If someone is not supposed to see them but they do, they can’t unsee them. That would include workers’ and residents’ health histories and health insurance records. If people’s health information can effectively become public, that might violate the Federal statute known as HIPAA.
22. Elections are in the news. Thousands of poll sites have to send their results in electronically. Many of the staff are part-time clerks who work hard on elections for only a few days a year. They’re not computer geeks. They don’t want to be blamed for modifying computer settings they hardly understand and that an expert already set up. They have to use passwords. It’s easier to use the default password. Oh-oh.
23. National intelligence agencies don’t just crack government websites, nuclear power plant controls, and other targets like those (or try to). They also go after people who might know something. Those are easier to crack, because they often have easier passwords. The Chinese People’s Liberation Army and Vladimir Putin can read your email prose, because you won’t have the CIA’s security. Sometimes, they’re out to collect info. Sometimes, they’re out to commit sabotage. Maybe sending an email under your name would be a good step in shutting down the electric utility for the city. Just for a trial run, to see if they can. Or maybe they already did the trial run and this is the real buzz.
24. You emailed your brother your Amazon password so he could buy a Scrabble game for his ten-year-old twins. He had nothing to do with the $13,795.22 charge on your credit card a month later from Amazon for truffles and lasagna you never saw. Really, that wasn’t him.
25. How’s your reputation? Golden? Glad to hear it. That’ll last until someone sends out emails from other people’s accounts trashing you. Most people who get them probably won’t tell you. They probably won’t believe them either, until they start believing a pile of them. You know, where there’s smoke, there’s fire. Trashing is more effective if it’s subtle, and when it becomes a truckload of subtle trash. Soon, everyone has heard about how awful you are. You pick your nose, you took Mary’s bus fares, and — I’m sorry, I can’t bear to discuss it.
26. A blowup between you and your spouse is your private business. Usually.
27. Personal info can be gleaned by looking at a bunch of emails. Did you email your Social Security number to HR? Another time, did you email a bank and the reader can guess that it’s probably your bank? Government salaries are often public information. Would you mind terribly if some stranger took out a mortgage in your name and didn’t pay it back?
28. Employee evaluations are fair game. But the HR system is secure and it doesn’t go through email. But if you’re in danger of getting a bad score, could you imagine faking an email from your boss to a colleague about your fabulous work on the Jones contract? Ah, I get it, you’re the boss whose account got hacked to send that email? You were using the same password everyone uses because why learn a new one? You’re changing your password, yes?
29. Journalists do vital work. Thank you. That may require keeping information private. You’re the only person who knows your password, right?
30. Janet’s mad. She’s the boss and people aren’t sending in their reports on time. She wants them in her email first thing tomorrow morning. Susan and Barry rush to get theirs in on time, with all the statistics and attachments, with just five minutes to spare. Whew. Yay, teamwork. But Barry does not like Susan. Barry would like Susan’s job. So Barry goes into Janet’s email account and deletes Susan’s report. Then Barry goes into Susan’s email account and deletes Susan’s copy of her own report. Janet arrives. Why isn’t Susan’s report there yet? Janet storms into Susan’s cubicle. Susan sent it! She swears she did! Janet says okay, show me your email account. Fine; Susan logs in and searches. Frantically searches. It was right here! Janet knows exactly what happened. Janet knows Susan didn’t do a report, never even wrote it, and fires Susan. After the firing, her email account is deleted, so the history of what was done to it can’t be traced. Even the mirrors and backups are effectively gone, soon, and no one’s going to check a backup after they’ve already made up their mind about the events, and they’re paid to be smart, so no one will haul out a backup just for forensics. Barry waits a decent interval, then inquires about filling Susan’s former position, because it isn’t being done and there’s a backlog of work. Janet knows that Barry is a good worker, and agrees. Janet gives Barry a pay raise. Barry emails Susan at home to tell her that he has had nothing but praise for her.
31. If you do politics, you might want other governmental units reading your emails. Or maybe not. And some politicians attract rabid followers who have their own ideas. We have a technical term for those fans: the “crazies”. Now that you’re armed with their diagnosis, you have to prescribe their treatment. And, since they’ll resist treatment, you’ll have to take away their sharps. Which means you have to change your password.
32. Wouldn’t it be hilarious to impersonate you? It wouldn’t? Don’t you have a sense of humor?
33. You mentioned your kids’ names and ages in an email. Or someone else mentioned your kids’ names or ages. I won’t joke about kidnapping or blackmail. Let’s just say that some people like to collect other people’s private information.
34. Phishing. That usually has a genuine-looking email from someone the recipient knows. Maybe you. It says to send money or a password or something. When they fall for it, they’re gonna be mad. That was your name on the email as the sender, and the full headers confirmed it, so the security people got the goods on you. Say the wrong thing and you’ll sound guilty. Say nothing and you’ll look guilty. They don’t have to prove a crime to fire you.
35. Businesses like to keep secrets from their competitors. Like what products they’re thinking of adding, about unhappy customers, and on financial difficulties. Maybe you don’t want your competitors reading your emails.
36. Botnets are good for a lot of international scams to grab money and launder it. An email may say “check out these cool games” and the person who doesn’t know better clicks and immediately their computer gets infected with malware that joins it to a botnet of hundreds of other computers. If you’re going to steal money from one fool, how much more pleasant it is to steal from hundreds of fools at the same time. When the police look at the email with the malware, your name’s on it. The handcuffs are just your size.
37. Trade secrets have to be protected. If a company has a trade secret and discloses it under a promise of confidentiality to someone through email, it almost certainly still enjoys legal protection. However, everyone involved is supposed to take reasonable steps to protect the secrecy. For email, that would usually include password protection. If that password protection doesn’t exist, the trade secret could become public and harm the holder’s interests. In that case, someone could be sued for loss of protection or the original holder could be in legal trouble from the loss of secrecy, including bankruptcy, which could give ground for a lawsuit against someone with pretensions of security for financial damages due to negligence or recklessness. You wouldn’t want to defend by saying that the holder of the secret should have known that the password was public, because that would open someone up to lots of liability in many kinds of cases. It’ll be a mess.
38. Wouldn’t be neat if someone got into your email account and gave someone your permission to do something? It’d be easy and you’d never have to know. And the recipient would be entitled to take your word. Your email is in their files. It wasn’t you who sent the email? You have proof?
39. I don’t know if an IOU, especially a promissory note, is legally valid if sent by email. This might vary by state. I don’t think you’d want to test that. But maybe someone will, and drain your bank account and place a lien on your house. Straightening that out is your problem. From what I’ve read, it’ll take you hours and hours.
40. Spammers have a problem. The email account they use may limit how many spams can go out every hour. Adding your account lets them take joy in sending spams. Like the ones about $10,000,000+ some low-level foreign bank official wants to send to your pals. Your name will be featured as the sender of the spam. Hey, you’re not using your account at midnight anyway.
41. Contact lists are convenient. Also, spammers like to copy them. The contact list belongs to an account, so spammers like to copy the contacts with the holder’s name. If you’re the holder, the spammer writes a message as if you wrote it to all your contacts. The contacts recognize you. They’ll think you wrote that message about cheap drugs. The message says to contact someone else for the drugs, so your family or garage mechanic or boss probably won’t ask you if you really sent that email.
42. Financial information held at financial institutions is often under good security. But if your email gives clues on how to access it, then your pension, your investments, your savings and checking, your tax information, and I don’t know what else may be viewed by people unknown. Maybe they can make decisions for you, too. Invest in junk. Spend your money. Without telling you. You probably won’t get it back.
43. You’ve been keeping a monster-load of emails because there are some that are really important. Someone got into your account. With a few clicks, they deleted all of them. Can’t get them back.
44. Someone could invent a crime and create an email trail between two unwitting workers and then tell a law enforcement agency about the crime and how to find evidence of it. Imagine: A mechanic has a crowbar. Someone could say, “Did you know he used it to break into an old apartment on Broadway? He bragged about it in emails and colleagues congratulated him on his haul.” Suppose all of them can straighten this out. That could take months and meanwhile they could be terminated on suspicion. That might be all some hater wanted. A forensic investigation might uncover the real story, but probably no one will do that investigation. Too expensive and, anyway, everyone’s been terminated.
45. Your kids had a problem, or you found your kid’s diary, or your crazy uncle just did something nutty again, or your dog bit the postal carrier. It’s public.
46. You have an important meeting coming up. You’re collecting emails with attachments you want to print and prepare for your big moment. They vanished. It’ll take hours to recreate them. Explain that to your boss.
47. Tips about fraud, waste, abuse, harassment, and suspicious things generally come to you, because your job is to handle these things, with professional discretion. Tipsters discover you’re blabbing. It must be you, because they didn’t tell anyone else and now they’re getting retaliated against, so you must have tattled. You didn’t? Prove it.
48. Confidentiality notices at the bottoms of emails may offer little protection. Such notices should be at the beginnings of emails, to make the notices more effective, even though almost no one writing an email would agree to that, because it would make it less likely that a recipient would read past the beginning of the notice. Even a one-liner like “see notice at bottom” will shrink the readership of the main message. So, no, the email probably won’t be treated as confidential. And if the password is well-known, the notice won’t work.
49. Someone doubtless may have to solve problems that may involve other people’s emails, such as making sure that someone sends a certain email. Some people have more scruples than others do. Therefore, some people have fewer scruples than others do. A person with fewer scruples may go into someone else’s account to send the email the latter person was supposed to send. And the person with fewer scruples may go into someone else’s account to send an email that it is believed someone was supposed to send but perhaps sending was really not required of that person. The event will probably be difficult to prove. The damage will probably be difficult to repair.
50. Your organization may forbid private emails in their system. That doesn’t matter. Maybe the person misusing the system can get fired, but the risks are largely the same and you generally still can’t look.
51. Someone changed your email settings. No one told you. You had it set to keep copies of emails you send. Maybe no more, and you don’t realize it until you look for one. Or maybe your closing sig got changed or removed. You can change them back, but you’d probably have to know there’s something wrong before you checked the settings.
52. You’re locked out of your email. It seems someone else said they lost their password and got it changed, but that was on your account, not theirs. You have no idea who could have done that. The number of suspects is in the millions, spread around the world. I don’t think the police will conduct third-degrees for you.
53. You never access anyone else’s emails but you know the common password and so you could access them. Even though you don’t touch them and have no clue what’s in them, you could still be liable because you should have known something that was in their emails. You could be sued, and lose.
54. Confidence in the computer system is weakened. People need computers and yours is the only system, so they’re stuck with having some confidence in it, but there can’t be this many problems without eroding belief in the security and cleanliness of the system and trust in its data.
55. If your computers are not trusted, because the data is probably wrong, the organization is not trusted. Because many organizations have this problem, this organization will only lose this trust gradually, but it can lose it, and it can be difficult to get it back. Narrower consequences also ensue: People from other departments can’t be trusted, at least not as much. You won’t be trusted much by people who don’t personally know you.
That’s just on a good day.
Law
The liabilities have plenty of law behind them.
But, besides that, some products that come with passwords are covered or influenced by a California statute on passwords. The California market has a lot of people and companies and so it is a big market for many products. If the product is made for the California market but is also made for sale or use elsewhere, it may be cheaper to make the product the same for everywhere. On the other hand, if the product is not required to comply with that statute even in California, it may or may not offer the feature at all. (The supplier may have legal liabilities either way.)
The statute, if applicable, requires that having a default password for all copies of the product is not good enough. The device you get must have a unique password or must force you to create your own password before you can use it for the first time.
That’s nice, even though it has its own drawbacks. Someone might forget the unique password because they hadn’t preserved it yet. Someone might create a weak password other people can guess.
But even that legal requirement does not apply to everything that has a password. You may still have a big problem to fix on your own.
Getting it Done
Fixing this is not cheap, and it’s disruptive, but it must be quick. Here’s a sketch of how to resolve this. I’d like to say it’s a few easy steps but — nope.
Someone will tell you this is easy. You could just tell everyone to change their password to something unique and secret. But that’s embarrassingly risky. Many people will ignore the memo or only partly implement it. Most people want speed and convenience (they have important work to do) and many will share passwords. Bad actors will also get the memo and can quickly lock up accounts they want to keep using and maybe a few spares, too. You’d have to trust people on faith. You know that hasn’t worked in the past for many important things. You couldn’t test compliance or measure it. You know what happens when you give an annoying task to people and can’t tell whether they did it. So, you need a more secure plan.
Step 1: Put as someone doing this work hands-on someone you trust. That person will learn some highly sensitive information with life-and-death consequences — people can die — and they can’t unlearn it. If your entire organization is made up of mass-murdering terrorists with ugly hats, choose one anyway, because freezing in front of onrushing headlights is how you get into trouble. Hide the machine guns, hint that your particular mass murderers are maybe nice deep down, and get to work.
Step 2:
Tell people, at least those who are already accessing other accounts, to stop right away unless a lawyer has authorized it. Probably, no lawyer will authorize it except for licensed investigators of illegal activity. Even the accounts of people under a reader’s direct supervision, like assistants, may not be accessed. Even if you had everyone sign a boilerplate authorization (like “I agree that my emails may be read without notice”), assume that it isn’t valid for this.
Even if someone is authorized to access an account, they may not be authorized to read a particular email, because it may be legally privileged, such as someone’s email to a doctor or lawyer. Since they may address their doctor as “Dear Jane”, the peeper may not realize it and could still be liable.
However, telling some people who didn’t know they could do this may lead them to do exactly what you tell them not to do. If you choose not to draw their attention to this, at least put it in some policy memorandum everyone is supposed to read but probably won’t. Write that policy in as dull and boring a tone as you can; legalese is good.
Step 3:
Who manages the core of your email system matters. What follows assumes that someone else, such as Google, does. That’s true for most people and most organizations, because managing an email server is complicated.
However, if you manage your own email server in-house, adapt the following steps. Your steps might be simpler; but you’ll still need to be careful (and also fast).
Step 4: For other kinds of online accounts, this procedure will work if you adapt it. This mainly is about authentication and authentication is similar across many kinds of websites and intranet sites. Examine the following and adjust the procedure as needed.
Step 5: Perhaps your provider already has a procedure for all of this and requiring no more than a few free clicks by you. Look for that, in your settings and online help. If your provider has customer service or an account manager for you, try asking that person. But I haven’t heard of such a procedure. Maybe part of it is available, but you’ll need custom work for anything not available.
Step 6:
If your email service provider does not offer all of the services you’ll need, you’ll likely need a contract with them, to do custom services. You’ll likely need to tap into the service provider’s programmers and executives of various departments, specialties, and skill levels (when to escalate should be up to you) and get their knowledge and advice on a moment’s notice (many businesses offer this); and you’ll need them to create the products (mainly services) you’ll need to fix this problem, and create them quickly, and with you reviewing their work at every step for quality and compliance with your objectives.
They’ll likely charge you handsomely for custom services, and even more for quick custom services. Depending on your organization, you may need to use an accelerated legal no-bid contract procedure. If your organization would say no, there’s probably some extraordinary exception, so get the exception lined up. Your provider has no competition and they know it, so there’s only one bid. You’ll have to conclude the contract negotiation with amazing speed and a check ready to write.
You could bargain by telling them you’ll move your business, but that would mean assigning all the accounts to a new domain, and your current provider may guess that you wouldn’t care to do that. If moving is a serious prospect, check that your new provider has the services your old provider doesn’t have, because if people didn’t change their passwords last time they probably won’t this time, either, and you’ll have the problem all over again.
Another alternative is to move your email service in-house, because then you can do your custom services with much more control over quality, timing, and cost. However, setting up and running an inside email server is far more complicated than most people are prepared to handle. There’s a reason almost no one does that. If you have enough people, assign someone to researching that option, but don’t let the research step delay getting all of this done fast.
In planning for an in-house or outside provider, or in considering both until you make a choice, you’ll need to be credible to your present provider. List every criterion in order of importance and, where they’re priced separately, you should list the prices separately. For example, list production servers separately from programming servers, since the technical demands on them likely differ. For staffing, price the entire compensation package and overhead for each position. List also criteria that your present provider fulfills but which you don’t want; this may arise if your present provider bundles services you don’t want when you’d rather save money by effectively unbundling them. If you buy through a purchasing department and that department would likely edit your request downward, perhaps by rejecting brand-specificity or by lowering your criteria, your plans should assume that will happen and your prices should take that into account. Do not consider temporary sales; price according to regular prices. If a vendor refuses to disclose a regular price but only the price for buying quickly, find another sales representative or find another vendor. Now, when you have your written analyses, your present provider can believe them and can see that you might leave your present provider unless they do what you need (which you will pay them for).
Moving has to include maintaining access to the old content, including old emails and settings, either by moving everything or by maintaining double sets of accounts. The first may be unavailable; the latter is insecure (the original problem remains); both are complicated.
If you do move email to a less satisfactory option but at least you get everything cleaned up, you can consider moving the clean files back to a good provider, maybe your previous provider, along with all of the content and settings. Hopefully, this will be a one-time-only need.
Step 7: Try to hand over another large check at every milestone. Paying them will be more attractive to your provider. They may be wary about extending credit if you have less than the best credit rating. If they get wary, you may find them slowing down your project. You need speed, so maybe bring a wheelbarrow of checks you’ll fill in as needed.
Step 8:
Make it impossible for anyone new to set a password that will create problems. This will take a few steps. Here’s the first:
Ban certain passwords altogether. For example, the default password should be retired and never reintroduced for any account. Some likely passwords will probably be tried in a brute-force attack on accounts, and you need to foil that attack. The password “password” has to be banned. The system must compare every proposed password to the list of banned passwords.
The ban should be case-insensitive.
Step 9:
Prevent creating passwords that would be easy to guess from a user’s biography. The biographical information should include the user’s real name, username, addresses, date of birth, Social Security Number (with or without hyphens), family members’ names, employee number, and phone numbers. The personal names may be written in several ways by the user; with or without a middle name, with or without a first name, first or last name only, with a mixture of initials and full name parts, initials with or without periods, with or without spaces, with or without prefixes (like “Dr.”), with or without suffixes (like “III”), and with varying capitalization; ban all of these varieties.
Some of this information, like Social Security Numbers, is private and may have to be obtained from another organizational office. You shouldn’t store it in your system and risk its security. Instead, arrange for a real-time connection so you can compare the proposed password for similarity to the other organization’s information.
When a proposed password is rejected, show a message that explains that it is too similar to your (the user’s) personal information that an unauthorized person might already know and use against you. If the user clicks a link for more of an explanation, explain that, while other systems might allow such passwords, they’re usually bad for security, so you (the user) should consider changing them everywhere.
Step 10: Ban certain password patterns completely, and case-insensitively. For example, if people are likely to make passwords similar to a default password, figure out what pattern would catch most of the similar ones without being excessive and ban that pattern. Compare proposals to those patterns.
Step 11:
Try to require all new passwords to be unique or, at least, rare. In one school, the IT chief said that unless passwords were assigned to the students almost every password would be “123” or “klingon”, creating similar problems. It’s not just that the students would play pranks on each other, sometimes serious ones with damaging effects. It’s also that confidence in the school’s computer system would be lowered.
Uniqueness is often impossible for PINs, which are a type of password. If a PIN is limited to four decimal digits, only 10,000 PINs are possible and there may be more accounts than that. You may have to settle for rarity.
For either uniqueness or rarity, if the supply of possible passwords could begin to be exhausted soon, plan for that. Even a quarter of them being unavailable would be noticed when people try to set a new password but get told that this one is not available, that one isn’t either, and so on. People will complain to the IT department and the IT people should design a system that is unobtrusive, to reduce complaints. Figure out how many new passwords are needed in a busy month and set things so there are always plenty of passwords to choose from. One solution is to encourage users to make passwords longer, because there aren’t very many 3-letter passwords possible.
Sometimes, even rarity is not possible. However, in that case you have to make brute-force attacks easier to stop. For example, PINs that are not even rare may be acceptable if they can only be used at computers that are public, so someone spending hours typing all the possibilities can be met by your security guard, who can walk the butter-fingers typist to the interrogation chambers. Or, you can disable a computer from all password-protected access by anyone for a period of time after a certain number of failed attempts on one account, or perhaps on all accounts.
Decide how many accounts may have the same password before it is too common. If you change the rules about passwords you’ll accept, so that there are more or fewer possibilities for a user to propose, recalculate how many accounts may have the same password before it is too common.
Be more stringent for people who likely work together, such as a boss and their assistant, people in one department, people in the same family, or people who email each other often. These can be determined from the human resources system or from a log of email traffic.
Case-insensitivity makes the standard more stringent. Given how people usually do many kinds of things, stringency would be good.
Step 12:
Enforcing uniqueness or rarity requires every proposed password to be automatically compared to all existing passwords. The comparison should be caseless.
If the proposed password includes spacing, compare with and without spacing for each space.
If you generate passwords that users can select, the generator must automatically do the same comparisons before proposing a password to the user.
If you require that old passwords not be reused, and that’s a good idea, automatically compare the proposed password to the old passwords, too. If your standard is rarity and not uniqueness, an instance even among old passwords counts within rarity, so that it may be possible for the password to appear once among old passwords and still be rare enough for a new use.
Step 13: We need to define a word. Instead of using a long phrase, replacing it with something shorter will be more convenient. The word is “threshold” or “commonality threshold”. The threshold is already too many. If a potential password is banned for everyone, the threshold is one, because one is too many. If a potential password must be unique, the threshold is two, because two are too many. If rarity is allowed for up to six users, the commonality threshold is 7, because that’s too many.
Step 14:
When you reject a proposed password, say why, or users will believe their password already conforms to your requirements and they’ll complain, especially if they use it on other systems without a problem (never mind that they shouldn’t be reusing the same password, they often do). Don’t give a one-size-fits-all rejection message or a checklist. People won’t read the checklist. Give the reason for rejecting that particular password. Don’t mention case. Don’t say who has it already, just that someone has it or had it and therefore that the user must propose a different password. Users need to know what to do.
Your email service provider may have to install these messages into their system for you, which will cost you money.
Step 15:
Publish tips on computer security, but don’t delay the other work to write the tips.
Add this: Common or predictable passwords should not be used for any purpose. You’d think that would be obvious. But something like a year ago I found a collection of billions of passwords (it’s since been taken down). I found the collection because I Googled someone’s name and that name turned up as a password. It’s like John Q. Smith giving himself the password “John Q. Smith”. Maybe John doesn’t care but anyone could have gotten into his account. That’s usually a bad idea. Prevent it.
If you don’t have time yet, you will after all the bad passwords have been changed, which they will be, because of your overwhelming power of persuasion and your snappy ability to click a button on your own computer. Write the tips eventually.
Step 16:
Now that you have a clean system going forward, all that’s left is to fix the old bad stuff still lingering around.
Get from your email service provider a list of all accounts that have passwords that reach any commonality thresholds.
Some passwords differ only in case. I would suggest treating them as similar enough to be treated as if the same, but I think that encryption by hashing makes that technically too difficult. (The hash is how the password is encrypted at the server for storage, so not even an Einstein can crack it.) This is a weakness in this proposal, but I don’t know how to solve it, because it usually is too difficult to reverse-engineer hashes to reveal original plaintext passwords, so you won’t be able to find which ones have similar plaintext, and your provider probably can’t either.
I’m less clear on how hashing is managed for passwords across the Internet, but I understand that browsers have encryption systems built in for passwords being sent out, so they’re sent out as hashes; servers using authentication have matching decryption systems to test a hash that arrives; and both encryption and decryption systems are updated from time to time. To prevent interim incompatibility, it’s likely that a server stores old and new hashes simultaneously for one password, although not very old hashes. That would allow an account holder seeking authentication to use either an old or new browser, although not a very old browser. Therefore, hash counts should be based on the server’s latest hashing system that stores hashes for all of its account holders. If no single hashing system has been fully implemented for everyone, counting may have to depend on studying hashes in multiple hash systems and thus be tentative. If they’re tentative, you should be stricter when judging thresholds as to whether exceeded. If you’re not sure, stay on the safe side and invalidate more people’s passwords.
You don’t need the plaintext passwords. You don’t need the specific hashes. You don’t need to know which threshold someone’s password violated. You don’t need to know the size of the threshold for that password.
If you have a hundred people with accounts and your commonality threshold is five people, and five people have “hello” as a password and eight people have “goodbye” as a password (never mind that those are insecure passwords), you need to know about the thirteen people in total but you don’t need to know about the five and the eight separately. This risks that you can still guess the passwords of the people in that thirteen if you heard what passwords are common, and that entails more trust than IT departments and staff usually get (normally they’d see only hashes and not plaintext passwords). However, that exposure may be unavoidable, and they’re going to be changed soon anyway.
In your list of passwords that violate any thresholds, you need the email addresses (which you already have), usernames (you have those, too, from the email addresses), real names, physical locations, and alternate contact information. You’ll also need access to information on who supervises each of the people on that list, and their physical locations and alternate contact information.
The alternate contact information cannot be an email address that is currently compromised by this problem, even though it’s someone else’s email address. It may be an uncompromised email address in your organization. It may be a personal email address outside of your organization. Your organization may forbid using a personal email address for organizational purposes, but it may be worth getting a temporary exception from that policy. You might create temporary email addresses for the purpose, so that johnsmith@example.com would be set up with tmp-johnsmith@example.com and, of course, it would get a good password, and its contents would be merged into the proper permanent email account by the time all this is done. Find out how to merge the contents of two email accounts without an email from one account overwriting an email from the other account, if that’s a risk.
Pretty much anyone who’s not on that list and isn’t supervising someone who is won’t need to see your face. Lucky them.
If you manage your own email server, you likely have many accounts. Scanning the hashes on many accounts is too burdensome for human eyeballs to get right. Instead, you should have an app custom-written that will scan all the hashes for you, quickly and accurately. Make sure the programmer who writes that app is not a sloppy programmer even when they program in a rush. That will likely cost more, but you don’t want to lose time because the app was bad.
Step 17: The legal content below is based on law in the United States as I understand it. I am not a lawyer. Do not follow it unless you independently agree with it. Make sure you are on solid legal ground and that the people who don’t want to change their passwords now are also on solid legal ground. If this is outside the U.S., be legally careful.
Step 18:
Design the list so you can sort it in various ways. This is one reason it should be online. One important sortation is by rank. You’ll want the highest person to be at the top, all the second-level people to be next, all the third-level people next, and so on.
You’ll also want to be able to sort by department, address, or other criteria, and within that to subsort by hierarchy.
Include a field for you to write an arbitrary number for a sequence of visits. If, for some mysterious reason, after you visit Chris, you should immediately visit Pat, this field will remind you of that. But make it a free-form text field sortable by content, so you can follow a number with text, like, for the second person, “2 but before lunch”. You could design input validation so that the entry must begin with a digit.
Step 19: Include in the list a free-form comment field, so that you can remember something important for your next visit.
Step 20: Some people will have complied by opting for the alternative, the meeting with the lawyer. The list should show you that status.
Step 21: The list should automatically stop showing someone the instant they have changed their password. Save yourself some visits.
Step 22: Create a standard page to force an immediate password change before the user can access their emails. The page, when it is eventually displayed, will force the user to create a new password to replace the old one. It will not permit the user to access their email, send an email, or do anything else with their account, but change their password. The page will have one alternative choice: A checkbox for “I request a temporary delay in changing the password, I have a good reason for the delay, I know a good lawyer, and I am available for an in-person meeting soon that is limited to myself, the lawyer, and the computer security representative.” This is not a joke. Without the lawyer, don’t allow a delay.
Step 23: You’ll need an office. You’ll have sensitive information, so it needs to be secure. You may need a safe. You’ll be working crazy hours, so it needs to be accessible to you 24 hours 7 days a week, including holidays.
Step 24: Keep your commuting time surprisingly short. Check out hotel rooms, even if they’re not palaces. Do not leave anything sensitive there when you’re at work. Someone can bribe (excuse me, tip) a hotel worker to let them look for something they say they “lost” in that room during a meeting you know nothing about. Don’t say anything sensitive in the hotel room. Someone can tip someone to let them leave a bug. Bill Gates’ security person found several bugs in his hotel room at a conference, and you don’t have a security person. When you use your computer from that room, your network is subject to man-in-the-middle attacks, which are so common they have their own abbreviation: MITM. Use your computer securely. Take your computer to work with you, even if it’s not the computer you use for this project. But it’s all worth the hassles. By shortening your commute, you’ll finish faster.
Step 25: Sequence your visits to start with the highest person in the organization who’s on that list.
Step 26: Group meetings perhaps should be discouraged, for security reasons, but they’re likely, and at least they’ll save you time. Design your software so that you can take attendance and have the software be able to disable all noncompliant accounts at once. If two hundred people are sitting there and seventy-one change their passwords or opt for the alternative, you need to disable the other one hundred twenty-nine accounts and you should do that in one click. One click saves you time and is far more dramatic in persuading one hundred seventeen people to comply, leaving you with just twelve people being unable to access their accounts and screaming bloody murder at you. Twelve wanting yoour head is not so bad.
Step 27:
You should do password changes in person, with offline identity verification. Letting everyone do it themselves is risky, because you can only hope that al-Qaeda isn’t listening and changing them themselves. But forbidding changes except in-person may involve too many visits to be quickly finished, and that’s a security problem, too. You’ll have to compromise, somehow.
Some people will be so far away that you can’t hand them their new passwords in person. Maybe one is on a research caravan in Siberia and needs to access their email from afar. Offer to send someone on reindeer with their new password, at no expense to you, or they’ll have to wait until they return to get their new password and access their account. Tell their supervisor, too.
If you’re not going to do face-to-face setups, then perhaps send a mass email to tell everyone to change their password and also to ask their neighbor to check their email. That may cause someone to discover that they’re locked out and complain, and the complaints are to be encouraged, but, of course, al-Qaeda would get that mass email, too, and might write an app to change thousands of passwords at once. You could write a program to discover that volume of traffic, but by the time you realize what’s happening it could be too late.
Step 28: Get ready for visits by bringing a tablet or other convenient hand-held computer, with networking including wired and wireless, preferably two computers in case one has a problem, a cell phone and a spare so you can tell your IT office to carry out your steps in case the networking fails and carrier pigeons aren’t available, one or two cameras and more than enough digital storage cards for each camera until you can download images to your computer system and erase the cards, the various paper forms you’ll need people to sign (bring twice as many forms so you can hand out copies to signatories for them to keep), and your strength of will.
Step 29:
For each visit, unless you know the person personally (you might recognize the CEO by face but not their personal assistants), require that they show you their photo ID from the organization or the government (not third-party ID). You photograph the ID. You don’t have to photograph both sides as long as the photo and the name are on one side. You fill in and sign a form saying you knew the person personally unless you photographed their ID; you’ll need that for the records.
Don’t let Tom change the passwords for Dick and Harry, or you could be responsible for their breach of secrecy. No one can be an agent for the person you need unless the person gives you their signed authorization for that. The authorization must make clear that the agent will see the person’s password and must convey the in-charge person’s plenipotentiary power.
If a failure of your computer, the network, or your phone connection means you can’t do the process, don’t give a free pass or people will start disabling networks when you come. Tell them you’ll disable the email account as soon as you can, give them a paper saying so, leave, do exactly what you said you’d do, and come back later when networking works.
If a delay is requested, their lawyer must be present and the meeting must be privileged (that’s a legal term meaning that what you say between the three of you is confidential attorney-client communication).
If you’re doing a group meeting, be careful that one lawyer is not appearing to represent someone they can’t. For example, a government agency may forbid their lawyer from representing someone from another agency. One way to be careful is to have the lawyer sign a form saying that they represent all the people you named on the form; give the lawyer a copy.
A nonlawyer cannot represent themself in this circumstance, because they’re conducting organizational business and a nonlawyer probably can’t do that as if they’re a lawyer.
If the person is themself a lawyer, they can represent themself on behalf of the organization (if the organization doesn’t forbid that), but only if they sign and give you their authorization to that effect, the form stating that they are a lawyer and identifying at least one court in which they are currently authorized to practice (not pro se). Have a form handy for the purpose and give them a copy.
Step 30:
Explain that some passwords are too common and they create a security risk which will now be shuttered. Use your computer to invoke the above password-change-force page to be ready to display on that person’s account only. Tell the person to log into their email. You don’t need to watch them logging in. The password-change-force page should display, blocking their view of any emails and other email functionality (e.g., the ability to send emails will be temporarily disabled). Answer their questions as best as you can. Encourage them to complete the form.
If the person fails to complete the form, which means they didn’t set up a new password and they didn’t choose the avoidance option, provide a Close button but have that button take them to a screen that warns them that the account is now disabled but they can go back and complete the form and thereby re-enable the account. Disabling means emails can still arrive but they won’t be able to log in and see them or even know about them, but tell them they’ll still be responsible for knowing about all incoming emails, including those from their boss and other important parties, and they’re still responsible for sending all required outgoing emails even though they can’t from their own account. By making that into a screen they see when they try to log in, everyone will see the same message.
They may ask how you think they can see their boss’s emails if you disable their account. You remind them that all they have to do is change their password in your presence or check the avoidance checkbox and they can immediately access their account all they want. Tell them that once the access is denied you can come back for another meeting whenever is mutually convenient and you’ll be happy to make that as soon as possible. When you come back, repeat as above.
Step 31:
If they check the avoidance checkbox, do not disable the account. Your computer should show that they chose avoidance.
Schedule the meeting with that person, their lawyer (who may be an organizational lawyer), and you and, probably, no one else. Come with a memo outlining the nature of the risks due to a password being too common (dozens of ideas are given above, in this article). Hand the memo to the lawyer. The lawyer is welcome to show the memo to the person, but perhaps require that the memo stay with the lawyer or be returned to you, because it is a recipe for harm. If the person still wants the delay, ask the lawyer if the lawyer approves, because you will not grant the delay unless the lawyer approves it, by signing for it (have a form for the purpose). Ask the person for a reasonable deadline for when the password will be changed, and record that in your computer, so the proposed deadline is stored with the account information. A week may be tolerable (given the history); a month is almost certainly not. Show up again the moment the delay is over (unless the password was changed in the interim), and require that the password be changed or you’ll disable the account, because this can’t go on forever.
Step 32:
No delay is permanent. You retain the discretion to end the delay whenever you see fit. Say so in the written or displayed notice acknowledging the delay.
Step 33:
A strong case for a delay would be for a police detective (or maybe an accounting auditor) working undercover inside organized crime or a terror cell and who has an email account with the password problem, because the undercover operative probably can’t act like a city employee during a Mafia dinner without being turned into processed meat. However, if the detective meets for burgers with plumbers who actually include a police supervisor in disguise, the burger time may be ideal for changing the password.
In those cases only, let the department (e.g., the police) take responsibility for what to do, but sooner or later even the operative’s password has to be changed. You’ll already have the names of such individuals, but now you have a clue about what they do. That means the police (or whomever) will be trusting you to keep secret the names of undercover operatives whose lives are at risk even if you’re perfect with their security. You may offer to let the department triple the number of people it claims have that risk of exposure, such as by adding their janitors, but that’s only mild security. You’d have to use strong security for wherever you store the list or its components. If the police are in this situation and get annoyed at you, you could ask the police why they didn’t change passwords back when so advised or directed, but they would probably prefer not to be embarrassed about their security lapse. (If they feel embarrassed, they might yell at you. You should respond by giving firm new meaning to the phrase “stand your ground.”)
I hope it was fixed or soon will be.
Shouldn’t This Be a Secret?
Going public has a reason. I acted to protect the security of the mismanaged system I identified above as well as that of other people and organizations I never even heard about. The security flaw reporting procedure I used is one that’s been conventionally used for years.
First, I wrote privately to responsible people who could do something about it. Then, I waited months. No answer came. Maybe Covid-19 responses (like working at home) got in the way, but we need to balance the conflicting interests between waiting for action before announcing the problem and telling others who may be similarly affected. I think I waited long enough, especially since no answer of any kind came for any of my five letters.
I went over and above what the convention calls for. When I wrote to the City government, I wrote letters, so they’d get more attention than emails might, and I wrote to five people, so if one misplaced the letter five hardly would have. I wrote to a person in charge of computer security, a person in charge of computer services generally, the Mayor, a principal attorney for the city, and, later, the police chief, all in –. No one answered. Not even their staff answered. Not even with boilerplate, and maybe there’s a reason they didn’t answer. By the time I’m starting to draft this article, in , enough time has passed for them either to have solved the problem or to have decided that it wasn’t a problem worth solving and they wouldn’t mind too much if it’s made public. Or maybe they want to solve the problem but need more resources in order to do it, and, by drawing public attention to it, I’ll be doing a public service.
To be persuasive, it’s often necessary to give a real-life example of what not to do. Los Angeles gives that example. The time to make it public has come.
