Alleged Russian spies make huge mistake in basic computer security and write down password to secret communication program.
It's not the kind of mistake one would expect spies to make, but apparently even secret agents don't like remembering long computer passwords. And sometimes, they write them down.
In late June, 11 people were arrested and accused of being part of a Russian spy ring operating in the United State. The arrests were the culmination of a years-long FBI investigation.
The spy who wrote down the password
According to the criminal complaints filed against the individuals, the FBI performed a covert search on Hoboken, NJ apartment rented by two of the accused in July 2005. During the search, agents made copies of several "password-protected" computer disks. The disks reportedly contained a steganography program--an application that lets you conceal data within a computer file, such as hiding a text file within an image. The alleged spies would communicate with individuals inside the Russian Federation by posting images containing hidden information to publicly accessible websites. The disks containing the steganogrphy program were protected by a 27-character password.
You would think that trained spies would know better than to write down the password for such important information, but you would be wrong. According to the complaint:
"During the 2005 New Jersey Search, law-enforcement agents observed and photographed a piece of paper; the paper said "alt," "control," and "e," and set forth a string of 27 characters. Using these 27 characters as a password, technicians have been able successfully to access a software program ("Steganography Program") stored on those copies of the Password-Protected Disks that were recovered during the 2005 New Jersey Search and at subsequent searches of the New Jersey Conspirators' residence."
Protecting your passwords
I'm generally not a fan of writing passwords down, but if you're going to do it at least store the paper in a secure location. Or better yet, store the password in a file protected by strong encryption or use a password vault program, like Password Safe, LastPass, or even OS X's Keychain.
Assuming that this entire affair isn't an elaborate feint by Russian intelligence agencies, it's clear that a few of the accused should have read the following TechRepublic articles on common-sense password security:
- Tips to help users remember their password
- Securing end users' pesky password problems
- Get increased password protection on the iPhone
- LastPass: Is it the password manager for you?
- Five features of a good password manager
- Fight back against bad password policy
- Use the Firefox password manager
- Help consulting clients create strong password policies
- Prosecutors: Russian Spy Ring Suspect Confessed (CBS News)
- Plenty of Questions Unanswered in Spy Case View Photo (CBS News)
- Suspect In Russian Spy Ring Vanishes In Cyprus (CBS News)
- Russian Spy Ring (2010) (The New York Times)