Earlier this week, news outlets reported on an FBI investigation alleging the St. Louis Cardinals, one of the National League’s most storied and successful clubs, hacked into the Houston Astros’ scouting system to steal information. Reports (or perhaps rumors) have also surfaced charging that current Astros General Manager Jeff Luhnow — previously an executive with the Cardinals — used “poor password practices” and continued to use the password he had with the Cardinals. Luhnow denies using poor password practices. Authorities, team hired and Major League Baseball investigators will eventually get to the bottom of this mess.
However, there is a lesson in this episode for everyone. I have blogged before about good password practices. Do not trust the system you are creating a password for or giving your information to. Any system can be hacked. If passwords are not encrypted in the website’s system using a one way algorithm (where the gobbledygook “hash” created by the algorithm cannot be converted back into your password), chances of someone figuring out your password skyrockets. Tip: if a website can tell you what your password is when you forget it — instead of resetting it — it is clearly not using a one-way algorithm. If you use the same password on multiple systems (email, banking, credit cards, etc.) like many people do since it’s easier to remember one versus many, you face the real possibility of the hacking of one system compromises all of your passwords. Try to use a password manager to create random, hard to guess passwords and to store/recall them for you.
What can you do? Two primary things. First, do not use the same password or set of passwords for every site. If your password can be found in a dictionary or is a sequence of numbers, it is a matter of time before a brute force rainbow (or dictionary) attack compromises your password. And that’s even if it is encrypted since a hacker will simply run all combination through the algorithm to match up the created hash.
Second, use multi-factor authentication. This uses something you know (like a password) along with something you have (like a smartphone). In this set-up, after you establish the multi-factor authentication scheme, each time you log in, you enter your password and then a 5 or 6 digit code is sent to your smartphone. This code is only valid for a few minutes. It can be sent by text message or using an app (Authy and Google Auth are two popular ones). You then need to enter the code on the website before it expires. Presumably, a hacker would not have your phone. Yes, it can be a pain sometimes and there are workarounds should you not have your phone with you. I use it for my important accounts (i.e. Paypal, banking, etc.).
Is multi-factor authentication fool-proof? Nothing is. Hackers could steal the data directly from the database via a trojan horse or some other phishing exercise. Security doesn’t guarantee anything. Security is about minimizing the chances of being compromised.
Had the Astros incorporated multi-factor authentication, they probably would not have been hacked even if GM Jeff Luhnow was using the same password as he did with the Cardinals.
Do you use multi-factor authentication?