Talking sense about passwords

Why is it that most news and articles about passwords lack common sense?

Case in point: ever since the news broke a couple of weeks ago of a court decision against a certain Mr Nosal in a case that was obviously (in my humble opinion) nothing less than data theft or corporate espionage, we’ve seen a flood of news stories that ‘password sharing’ is illegal. Many of the articles have used alarming headlines of the sharing of Netflix passwords as the lesson that we should learn.

Sharing Your Netflix Password Could Land You in Jail

The problem is what we commonly understand ‘sharing’ to be. Do we mean the password for your grandmother’s email account that you also know (in case she forgets it), or, yes, the Netflix that you and your girl/boy-friend both use? OR, do we mean a password that an employee with a certain clearance gives to another person who does not have that clearance (i.e. is not authorized to access the protected data or systems) with the intent to misappropriate data?

There’s a huge difference between the two, and it’s a difference of kind, not of degree! The danger of accepting the word ‘sharing’ to cover all instances of multiple people knowing a password is bad for security. Average users will be scared off from confiding in their family members, as law enforcement will be allowed – or be perceived to be allowed – to (mis)apply laws meant for actual theft to innocent circumstances.

If we accept this broader interpretation of password sharing we’ll soon begin to see the unintended consequences – mostly negative – to our overall security and privacy.

Which brings us to what set me off this morning!

Pop star tells fans to send their Twitter passwords, but it might be illegal


Jack Johnson (the little one in the picture) of the pop-rap duo “Jack and Jack” has come up with a new promotion in which he asked his followers on Twitter to send him the password to their individual Twitter accounts, and then under the dark of night (not really) sends out a tweet from their personal accounts with the hashtag #HackedByJohnson (resulting in much sighing and swooning).

Wow! – the utter social media genius (Wile E. Coyote)!

Wow! – the sheer security stupidity – on both sides.

I bet that everyone else in the entertainment industry is green with envy for not thinking of this first. (We’ll never know just how many social media managers were fired for not coming up with it for their respective superstar boss.)

Given the hypnotic hold that social media has on most of us, this is a natural next step in the ‘relationship’ that stars have with their followers. And Mr Johnson – known as @JackJ – has a lot of followers on Twitter: 3,880,184 according to a check this morning. Since yesterday, his legion of followers has grown by 7,000! (I wonder how many it was before this kerfuffle started.)

Talk about the level of commitment of his followers. This isn’t just giving an email address that he can bombard with news and products. This demonstrates the devotion that they have for him. But is this an entirely new phenomenon? Not exactly.

It’s similar to young women throwing their panties on the stage at Tom Jones concerts. Or, getting a body part signed by a favorite star, or getting a tattoo with your heartthrob’s name and logo of the band. Or, giving your hotel room key to your favorite star and hoping he or she will drop by after the concert.

Each of these was edgy in their time, but were limited because you actually had to be in the crowd of adoring fans at a concert or event to even have a chance at any of these interactions.

But twitter lets you believe that you are communicating with your favorite idol one-on-one from the privacy of your own room.

The problem, as usual, is security.

Let’s assume that Mr Johnson has only the best of intentions with his newfound access. You still have to wonder about the level of security that his team is applying to the newly gained authentication info. The guy’s attorney says that he deletes the emails the same day and that he uses 2FA to protect his own twitter account access. While that may be true, Mr Johnson is going to be on the hook if ANYTHING going wrong (hack or something leading to a breach) with any of those accounts. (I’m curious to know how many passwords he has collected this way.)

At least for now, it seems to be worth it to his brand.

The article states that legal minds are piping in that the Computer Fraud and Abuse Act – a “notorious anti-hacking statute that dates back to the 1980s” may apply to Mr Johnson’s shenanigans. Which brings us back to the sharing of passwords being illegal. The CFAA is the law – enacted before any sort of wide-spread use of passwords was even a remote possibility – that is (in my humble opinion) being misapplied to password sharing.

In fact, I don’t consider this to be password sharing. This is temporary access via a loaned password to facilitate promiscuity, adulation and self-promotion for both parties. (Note: Sticky Password does not advise sharing of passwords.)

While Mr Johnson may be reckless, there has been no suggestion that he is a hacker or that he has any bad intentions. While his fans may be misguided in terms of understanding their security and the value of their own privacy, there is no reason to think that any of them is a hacker. Nevertheless, the idea that a “notorious anti-hacking” law is being appropriately applied is off-base and scary.

If Mr Johnson and his fans are breaking rules set by Twitter (such as password sharing), then Twitter has every right to take whatever action they deem appropriate against those violating the terms of service. Why is this even something that would appear on the radar of the criminal justice system?

I suspect that Twitter doesn’t mind the violation as long as it leads to press – and they’re getting a lot of it thanks to Mr Johnson.

As for all of your passwords, a password manager is the best way to manage all of your unique ‘long and strong’ passwords. We recommend Sticky Password.