MyBART Hack By Anonymous Could have Been Worse
The website for several years issued randomly generated passwords, which were unlikely to be resued
Wed, August 24, 2011
IDG News Service — The disclosure of 2,000 usernames and passwords by the hacking collective Anonymous against a San Francisco transportation website could have been more damaging, according to a doctoral candidate at the University of Cambridge.
Joseph Bonneau, who is working on a thesis on password security, analyzed the disclosed passwords and found that more than 1,300 were randomly generated when users signed up for accounts at myBART, a marketing site for Bay Area Rapid Transit (BART).
Between 2001 until 2006, myBART did not allow users to change passwords, which consisted of two digits plus up to eight lower-case characters, Bonneau said in an interview. That was good, since users were unlikely to reuse the randomly generated passwords on other accounts, such as e-mail or social networking services.
It's not uncommon for people to use the same password across a range of websites. Security experts generally advise against it, since if the password is compromised, a variety of data could be obtained by hackers by trying out the password on other sites.
In the case of myBART, which was a marketing site, the accounts that were compromised aren't valuable.
"There's no interest for criminals or even people who want to do vandalism in the myBART account, but if you can try those passwords and e-mail addresses elsewhere, you can get interesting accounts," Bonneau said.
It's rare for websites to mandate randomly generated passwords. Bonneau and a colleague, Sren Preibusch, conducted a survey in 2010 of password practices across some 150 popular websites. Only one issued a randomly generated passwords.
MyBART e-mailed the passwords to users, which may be fine for accounts that aren't that important or infrequently accessed since users can look the password up if they forget, Bonneau said. But the website stored the passwords unhashed in its database -- considered to be an unsound security practice -- which eventually led to exposure by Anonymous.
Anonymous attacked myBART after the transportation agency on Aug. 11 shut off mobile-phone service to hundreds of thousands of commuters to thwart a planned protest over two fatal shootings by its police force.
Just a few days later, Anonymous struck BART again, publicly posting names, home addresses, e-mail addresses and passwords of 102 BART police officers.
Send news tips and comments to firstname.lastname@example.org