Information Security Typically, the passwords I find pose more risk to the company (i.e. Active Directory passwords, VPN passwords, etc.) than they do to the individual at fault, but this one was different. My eye was immediately drawn to one written password entry, it read:
I sound like a broken record sometimes. I get sick of hearing myself speak too. I will say it again because it is of utmost importance:
People, please STOP writing passwords down!
Here is a real-life example of a written down password that could have very easily led to over $500,000 in theft.
The Incident
I get the call all of the time. Someone calls to report (anonymously) that they have found a password written down on a laptop. As always, I initiate an investigation to determine the extent of the risk to the company I am contracted to work for. Upon arrival at the site of the laptop, I notice various passwords written down on stickers just to the right of the mouse/thumbpad.
E-TRADE: etrade.com
EXERCISE PASSWORD: 88946571335
USER ID: jdoe
PASSWORD: jdoeDoneB4d
NOTE: These user IDs and passwords have been modified for the sake of this article. The actual user IDs and passwords on the stickers were different.
Naturally, I want to find out who this person is. After searching everywhere within the company and interviewing numerous people I had run out of options. I think to myself, self “The user name and password can’t still be valid, can they?” I decide to try. I go to http://www.etrade.com/. Oh %^$*@! They are valid! Upon login, I get confronted with the “Complete View” account page.
$492,640.25 worth of risk! Now I can find the user however, which is my main motivation. Obviously the first thing to do is have the user change their password, which they did. I spent a good amount of time with the user explaining what could have happened if this information fell into the wrong hands and gave them some alternative methods for password management. I am not sure if it sunk in or not, but it felt good to help for now!
How did the laptop end up where it was?
This is the question I would be asking myself. Through investigation it was discovered that the laptop was turned in to the help desk for normal hardware rotation. The user basically sends their old laptop to the help desk for a new one, which is common every couple of years. The help desk placed the old laptop in storage then brought it out as a loaner for a contractor.
Why didn’t the help desk remove the stickers and inform Information Security personnel when the laptop was returned for recycling?
Another good question. Because sometimes people forget that information security is EVERYONES job. People need to understand what role they play because we all play one. I have found through experience that an effective training and awareness program goes a long way. Training and awareness conducted correctly could have stopped the user from writing their passwords down in the first place and may have reminded help desk to remove and report.
Conclusion
I have given this much thought over that last few days. It really bugs me when people fall victim to scams, thieves, and the like. There is no sense in making it easy for them! People write down passwords because they typically do not know of a better way to manage all of their passwords. Can we blame them? See my previous article "Passwords Part 3/3 - Password Management" for some suggestions.
In hind sight I should have not logged into the account to find the username. This poses a risk to myself. Next time I will call eTrade and inform them of the username and password found on the laptop. I hope there won't be a next time, but I would to too naive to believe so.