Apps

Alleged Russian spies wrote passwords on paper

Alleged Russian spies make huge mistake in basic computer security and write down password to secret communication program.

It's not the kind of mistake one would expect spies to make, but apparently even secret agents don't like remembering long computer passwords. And sometimes, they write them down.

In late June, 11 people were arrested and accused of being part of a Russian spy ring operating in the United State. The arrests were the culmination of a years-long FBI investigation.


Watch CBS News Videos Online

The spy who wrote down the password

According to the criminal complaints filed against the individuals, the FBI performed a covert search on Hoboken, NJ apartment rented by two of the accused in July 2005. During the search, agents made copies of several "password-protected" computer disks. The disks reportedly contained a steganography program--an application that lets you conceal data within a computer file, such as hiding a text file within an image. The alleged spies would communicate with individuals inside the Russian Federation by posting images containing hidden information to publicly accessible websites. The disks containing the steganogrphy program were protected by a 27-character password.

You would think that trained spies would know better than to write down the password for such important information, but you would be wrong. According to the complaint:

"During the 2005 New Jersey Search, law-enforcement agents observed and photographed a piece of paper; the paper said "alt," "control," and "e," and set forth a string of 27 characters. Using these 27 characters as a password, technicians have been able successfully to access a software program ("Steganography Program") stored on those copies of the Password-Protected Disks that were recovered during the 2005 New Jersey Search and at subsequent searches of the New Jersey Conspirators' residence."

Protecting your passwords

I'm generally not a fan of writing passwords down, but if you're going to do it at least store the paper in a secure location. Or better yet, store the password in a file protected by strong encryption or use a password vault program, like Password Safe, LastPass, or even OS X's Keychain.

Assuming that this entire affair isn't an elaborate feint by Russian intelligence agencies, it's clear that a few of the accused should have read the following TechRepublic articles on common-sense password security:

More on the this story from around the Web:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

53 comments
canopic@clear
canopic@clear

I write them down, but I write them down using a code that means nothing to anyone but me. For really important pws I break into three pieces and store each coded piece in a different location.

red bandit1
red bandit1

What I recommend to newbies that ask is pick something easy to remember and then add a space between each letter. A short easy password becomes a long complicated password to decipher.

red bandit1
red bandit1

I use a private encryption method I tell nobody about, not even family.

harleycat75
harleycat75

I am an administrator or backup administrator of many, many different programs. Most the user IDs and passwords that I need to manage on a daily basis are easily remembered without so much as a second thought. For those that aren't used as frequently, I have hints that would only make sense to me (not the actual passwords) saved in a password protected file. Did I mention that in order to access this password protected file, you would also need to know my network credentials which contain a strong password which is never written down (not even a hint) and is also changed a minimum of every 90 days?

ostrich67
ostrich67

I have to maintain at least 15 different passwords and PINs, and I'm forced to change many of them every few weeks. At least half of these are on my employer's intranet, whose many sites each require their own password. I CAN'T remember them all. So I have them written down on a piece of paper which I keep in my wallet. Which is often accidently thrown away when I need to clean out that filing cabinet under half my ass that my wallet becomes. Which means that I have to recover or get a new password for many of the sites I visit infrequently. Which means yet ANOTHER password to remember/forget.

CEL0519
CEL0519

I enter my passwords in a Word document, for example: If my password is kitten, then I typed k _ _ _ _ _ 10 or sometimes I run two words together.

locum
locum

I?m astonished that so many have voted on memory as the primary. Those that state they commit to memory must only have to worry about no more than a dozen or so. Right now I'm looking at an encrypted file where I have 158 passwords for emails, routers, services, tech support, remote access, security, financials and other items. Due to security constraints and requirements none of them are the same. This doesn't even include the Active Directory (in the hundreds) or their emails. It's just not practical any more. It was diferent in 1990 when I only needed 3 or 4 logins but now, everything requires a login or registration. With cloud apps becoming more prevalent I see more passwords on the horizon, not less. So unless you have an eidetic memory you better figure a way to manage these. Oh... and one more thing. What happens to the enterprise if I have a stroke from too many pulled pork sandwiches, or my DB admin takes a header on his motorcycle one weekend, or the Server Admin just up and quits, taking with him his head with all those passwords in it? Single point of failure on one person? Remember, sometimes the greatest threat is from within. I don't want another San Francisco Admin incident on my hands.

Sensor Guy
Sensor Guy

I store mine in an encrypted Excel file and then I store the file in a flash padlock with a ten digit password committed to memory. I clean out windows with Webroot's Window Washer every time before and after I load the Excel file, just to make sure there aren't any work files laying around the system. I use a standalone desktop system that is never connected to the Internet for this process. When I print it out, I use old fading onion paper with a fake title and columns. That paper is stored in a locked gun safe curled inside the barrel of a 12 gauge shotgun.

shrpsam93
shrpsam93

Most of my passwords are both stored in a vault and in my memory, while i hardly use my vault considering i am using firefox 4 beta 1 and waiting for the addons to catch up with it. I used to have it all in my head when i was younger.

kama410
kama410

Yeah, well... Personally, I create nonsense words, i.e. freglobmactoe, that are pronounceable but which certainly do not exist in any language. Then I 1337-5p33k the characters in a fairly consistent pattern: 1337 every third char, 1337 the char at the beginning/end of each sylable, etc. Then I add capitalization based on a rule. You can't use the same rules for every password because that would make them predictable. Then I write them down on a piece of paper and stick it under my keyboard 'cause if you have physical access to my machines I'm already Jose'd!! edit: punctuation

paulscrolls
paulscrolls

I store my passwords in an encrypted text document that is saved on a flash drive. I then store the flash drive in safe/hidden location. I also use computer generated passwords that use lower and upper case letters, numbers, and characters.

Zahra B.
Zahra B.

I use a modified (think p2p mispellings) version of a name (of a person, a city, a celebrity, a book, a song, name it) and then write a clue that wouldn't make sense to anybody else but me. For example: I remember a subway station where I met a celebrity. If I want to remember the celebrity's name or my favorite song from him (mispelled, as mentionned above) as a password, I'll write down the subway station's name as a clue for me. Even somebody who knows me very well (and knows the story of how I met this celebrity) wouldn't know the subway station name or its significance.

fulton.dr
fulton.dr

Sealed in an envelope secured in an approriate safe that is mustered.

LocoLobo
LocoLobo

thru TV & movies. I haven't read the articles on this. Were these people really Russians, sent to spy on the US? Or were they US citizens who were suborned by a Russian intelligence officer? I suspect most spying is done by the latter. Spies? Yes. Trained Spies? Not so much.

jdclyde
jdclyde

used to work for a place that made concrete pipes, so my phrase was "We Lay Big Pipe Here At ####### Corp 55" because I had five routers at five locations. Of course if someone asked all they knew was Wlbpha#c55

GSG
GSG

I think this is a great example of password management getting out of hand. OK, so they are (allegedly) spies, so they want a complex password. However, you get to the point of diminishing returns where your password gets so complex that you just can't remember it, and you HAVE to write it down. Same thing happens when you force too many password changes. Of course, they could have used IAmARussianSpyNyahNyah! I think they'd have remembered that one.

Bill Detwiler
Bill Detwiler

It's not the kind of mistake one would expect spies to make, but apparently even secret agents don't like remembering long computer passwords. And sometimes, they write them down. According to the criminal complaints filed against 11 accused Russian spies, law enforcement officials found a 27-character password to a secret communication program written on a piece of paper in Hoboken, NJ apartment. If you're going to write your passwords down at least store the paper in a secure location. Or better yet, store the password in a file protected by strong encryption or use a password manager or vault program. How do you protect your most important passwords? Read more about the case and take the poll: http://blogs.techrepublic.com.com/itdojo/?p=1888

dariquew
dariquew

if you choose a password that has a good base (something that no amount of logic and guessing can reproduce) than u can have several varieties of the password. I am an Army Veteran and besides my 50 or so pleasure passwords, i had to change my AKO regularly. the characters and numbers were randomly varied.but i see ur point. its hard to remember a million totally different passwords

ian
ian

I pick a word, usually a place name, and jumble in a certain sequence. For instance if I used Dallas as the prime word and took every fourth letter 7 times (07 being the month) the result would be 407laslasl. Staying on the subject of passwords - but for credit cards, a 16 digit credit card number has 1,048,576 permutations for a 4 digit pin. There is never a need to write pin numbers down. On the subject of spys, we shouldn't be so arrogant as to think only other countries make mistakes, they are just the ones we hear about. Am I right?

AnsuGisalas
AnsuGisalas

Either the evil maid... Or the iron-fisted IT-security op with a post-it detector. Unless you work from home... but then there are burglars. You should consider keeping lock and key apart, it's a well-known measure that would add mountains to your security landscape. People come here asking for passwords all the time, so obviously hardware moves around without it's owners a lot. But seriously... you go through all those hoops, and then you write down the compiled password? Why not, at the very least, the uncompiled one?

JamesRL
JamesRL

But at least one I saw was neither Russian or American born - from Brazil. One of the neighbours in Boston said the person told them they were from Canada but the neighbour commented they knew that wasn't right, but they couldn't place the accent. The latest news is that Russia is offering a spy swap to have all of those spies returned to Russia, but at least one of them, the one born in South America, might not want to go according to her family and lawyer. James

Al_nyc
Al_nyc

I find that a long password can be committed to memory after using it for a while. What I find to be a real problem is when dumb administrators force you to change your password every X number of days. That's just plain stupid and leads to this type of stupid mistake where users write down passwords. Forcing users to change passwords regularly leads to one of two things. The user will either use an easily guessed password or write it down within 5 feet of their keyboard.

Plant Doctor
Plant Doctor

When I am asked how to remember a password I suggest a person write code and stick it under their keyboard. For example if you write Jones#55! for your mother being 55, the REAL password would come back to you as her middle name of Barbara#55! I personally am a paramedic and I have used epi@1 to stand for epinephrine@1MG. That would be confusing to most people. How about RDH-12456 for a girl friends birthday; the real password is RobinAnne-62451 which is her real birthday. It beats letting users write the actual password down. Just make it confusing to most people.

Juanita Marquez
Juanita Marquez

the password-protected disks were labeled "Super Secret Spy Stuff" too?

CharlieSpencer
CharlieSpencer

Everyone knows Russian spies use "MakeTrouble4Moose&Squirrel"

seanferd
seanferd

I'm going to use it for everything now. ;)

rjocius
rjocius

IronKey: As far as password protection I don't know if there is anything better, more secure and convenient

husserl
husserl

Currently kept in a PINs (http://www.mirekw.com/winfreeware/pins.html)4.50.0.86 file (448 bit Blowfish encoding), in a TrueCrypt container (there is of course a 'sploit here), behind layered security. The passwords to access the PINs and TC are difficult occasionally even for me, and sometimes I have to make four or so attempts. This varies with the keyboard and angle, but I'm a touch typist so this is not too much of a trial.

clarkcomputer
clarkcomputer

i have a text file of hints to jog my memory that would mean nothing to someone reading it. for example river + yr. that is the name of a river near where i lived in another country in another language and the 2 digit year i lived there. btw - knowing another language or more than one is very helpful in creating secure passwords

psharer4062
psharer4062

I use special charecters like 3 @ 7 $ for differant letters of the alphabet. I t also meets complexity requirements.

karumi-chan
karumi-chan

When I was young I was fascinated with japanese handwriting, so I made up my own alphabet with random symbols. I used it to write names of my crushes and I taught my bestfriend how to write it, we used so much when we talk about secret stuff thats why until now i remember it. I write my passwords using the alphabet I made up on the calendar on my desk! ;)

ChipMicro
ChipMicro

Not delving into the problem of some systems allowing unlimited (virtually) attempts to log in by default, on our enterprise server side we have accounts set to allow three failed logon attempts, then require human intervention from the security team. So, you can post a reminder on a Post-It (as long as it's not the password itself), or even a root, to which you add your initials or some other thing at a random location, and never fear a dictionary attack, while remembering your password, even if you have to change it every so often (add the initials anywhere, just make it the same place regardless of the root). Should someone try to guess your PW based on your root and given the PW parameters we use, a couple of us were crunching numbers and you'd have a 1:2,901,650,853,888 chance of dictionary-hacking it within 3 tries. Best of luck...

JPatrickF
JPatrickF

I always come up with pass-phrases and use the first letter of each word and use capitals numbers and symbols where appropriate. You get complex non-word passwords that you can always remember simply by repeating the phrase in your head. Example: "I need to get into this file and edit something" becomes "In2gitf&es".

itachisxeyes
itachisxeyes

most of the time i actually just commit them to memory, after using it a few times it just becomes muscle memory, XD but sometimes when i do write them down i hide them in my himitsu-bako. though this is rare, usually they are only ever in my head.

AnsuGisalas
AnsuGisalas

God sakes... the soviets had it down pat. They'd have a book, and they'd have a sequence of numbers, and the numbers would correspond (going through hoops) to pages, lines, characters, and they'd go to their book and get the info. It's not like the soviet union did a lot of things right, would it be so terrible to preserve those, instead of the cliqueish power distribution?

Dave51
Dave51

Does this all mean I have to change my passwords from ******** oops ;)

otaku_lord
otaku_lord

TruCrypt if stored on my computer or an Iron Key encrypted USB drive if used on public systems.

Sensor Guy
Sensor Guy

I have about 218 ID's and passwords I have to keep a track of, some are for business systems and functions and some personal. The biggest problem is the variance of rules between the various systems, some require only numeric (most PINs), some don't allow capital letters or special characters, some are a minimum of 6 characters but others require 20 characters. Just change management is a nightmare. Some change every 6 months or so, but some change every week and one I have forces a change every 72 hours. I change them all at once every six months and it takes me at least 3 hours, even when the passwords are pre-planned in the change. In some I'm only allowed one failure and then ID is locked. I've intentionally excluded the biometric access controlled systems. For those there is another whole different set of issues!

kama410
kama410

That's for my home machines. I have too many to remember them all. Seriously, I would have to remember like ten PWs, including the kids' machines. Anyone that gets into my home and wants to know what's on my HDs isn't going to be stopped by a PW anyway. Really, though, it is probably more likely that the person running out the door with my monitor is probably going to sell it for crack anyway and doesn't care what is on the HD.

AnsuGisalas
AnsuGisalas

You don't need the unbreakable password code. That's probably not even possible, depending on the final word in cryptography. What you need is Good Enough. Good Enough equals "no-one will bother", unless you're a seriously important person... important like Obama, or Osama.

kama410
kama410

...can be great fun! Back in the stone age when I worked in a call center I had a Zip disk labeled WareZ-n-pR0n that actually contained nothing but very dry boring technical info. I left it sitting on my desk in plain sight every day for months. I still wonder how many people picked it up when I went to lunch...

psharer4062
psharer4062

I had someone show me this one before......asfoshtmgd

boxfiddler
boxfiddler

to spell that with a Boris and Natasha accent? :^0

AV .
AV .

Three strikes and you're out. AV

jeremial-21966916363912016372987921703527
jeremial-21966916363912016372987921703527

I've always been a fan of pass-phrases, but I always type them out with full spacing and punctuation. After a couple practice rounds, typing something natural like "My name is Steve and I hate working here" becomes much more natural that one would think, especially on Monday mornings.

wolfshades
wolfshades

I used to use the same method. It worked for me too, until there was a span of time when I didn't try to access the site. Then, when I did, my muscle memory failed me. So frustrating, when you sit there, fingers over the keyboard and you just *know* you can type the correct sequence. But you forgot and you're forever locked out or you need a password reset. Enter eWallet.

Al_nyc
Al_nyc

I'm glad I don't have your job. I think that managing the 6 or so I have at work is plenty.

AnsuGisalas
AnsuGisalas

But maybe you're right, and nobody would bother. That doesn't explain all the "people" who come asking for password help though. To the buyer it might be worth it to rifle your HD before selling the machine onwards as parts or whatever. ID thieves usually have to do harder work than that...

wolfshades
wolfshades

Bearing in mind that I don't work for the company, nor do I own stocks in it (if they have any) - I'm just an average user here.... You won't need a phone for eWallet: it works on Windows machines, Palm, iPhone, iPad. You just have to sync it, with whatever device or cross devices, using a USB key or whatever. It works marginally well on the Mac. I'm using it on my iMac - it's just that you have to copy the ewallet file to the Mac, as you can't sync it normally. Otherwise, it's as functional as it is on the other platforms. Not sure if you can get a copy for Linux though; never investigated that. Good luck with whatever you can figure out for password management. Simply trying to remember a *strong* password is a little challenging - at least that's what I've found - especially when you have multiple systems that require it.

itachisxeyes
itachisxeyes

oh yeah i've done that once, XD fortunately it was only for some on-line thing at my old school where you could log in and check your grades. not that i particularly went on there often! i'm not really responsible for a ton of passwords so i guess my approach is only realistic for small scale operations. but i've been thinking about setting up a 'password file' and use file permissions to make sure only root can see the file and perhaps do some kind of encryption or hashing. because what if i do get a bigger work load and small things like an odd password just slip my mind. eWallet looks very snazzy indeed but i don't have a supported phone hahaha! i'm locked into evil BREW! i can't even develop for my own phone if i wanted to (T_T) but the safest way to do passwords is to lock a copy of the password in the safe which its for and then burn the only other copy of the password! (i watched too much 'Get Smart' when i was younger!)