The Astros and Password Hygiene

Earlier this week, the New York Times reported on the FBI investigation of the Houston Astros’ compromised database and the current suspicion that the culprit are none other than the St. Louis Cardinals. The hacking of Houston’s proprietary in-house information sharing system, called Ground Control, caused major waves last year when Deadspin published excerpts from their internal discussions about players and trade negotiations. The Astros ended up with some egg on their face, and Jeff Luhnow was quoted as saying he was avoiding electronic communication during the early days of the known leak for fear that the Astros’ systems remained unsecured.

What is so shocking about the (alleged) penetration of the Astros’ systems by members of the Cardinals’ front office is that it does not appear to be a high-tech hack: according to the NYT, the likely intrusion vector was Astros’ general manager Jeff Luhnow’s own user credentials, which reused the same password that he had formerly used to access the Cardinals’ own proprietary system (codenamed Redbird) when he worked there.

Targeting credentials of users who reuse the same password to access multiple systems is a popular method of hacking. A surprising number of smart, highly-placed individuals (like Luhnow) often don’t perceive the risk that they take by using the same password across multiple accounts. Hackers look for sites and apps that have poor password security, steal the passwords from those less-secure places, and then test the passwords against higher-security systems. Some examples of poor password security practices include storing passwords in plain text in the database, not encrypting passwords with a one-way hash where the password can’t be taken back out of the database, or using an inexpensive encryption method that can easily be broken by throwing computing power at the problem. (The Cardinals were allegedly able to pull Luhnow’s password out of the database, so Redbird’s passwords were likely either stored in plain text or encrypted using a less-safe two-way encryption technique.)

Reusing passwords across multiple accounts is an example of poor “password hygiene”. As email addresses become increasingly popular as usernames, it has become easier to guess one half of the username-password credentials pair for a user of a site or application. The most effective strategy for proper password hygiene is to use a unique password for every account you have and to use a password manager to securely store those credentials. I use 1Password because it works on Mac, PC, iOS, and Android and stores credentials on my own devices rather than on someone else’s server, but there are plenty of other popular solutions such as LastPass, KeePass, and Dashlane.

An additional strategy for improved security is two-factor authentication (2FA). The idea behind 2FA is that you authenticate yourself with “something you know” (your password), and “something you have” (your phone). The second part can be a text message that’s sent to you when you log in, or a special code that is generated every few seconds that you can use as a sort of second password. Those special codes are generated using a hardware device (if you’ve ever seen an RSA keychain token, that’s an example of hardware 2FA) or by a software app such as Google Authenticator or Authy. 2FA helps protect you against someone stealing your password, because unless they also have your mobile phone, they can’t get into your accounts. Many sites feature 2FA as an option, and the list continues to grow.

My last piece of advice is to rotate passwords on a regular basis. 1Password reminds me when a given password has been in use for too long, and I can go ahead and change it. (It even flags accounts that have had reported breaches, which is a great help.) If Jeff Luhnow had been rotating his password regularly, even though the Cardinals (or whoever the bad guys were) started out with his credentials, they would have lost access whenever he rotated, which helps stop the bleeding of confidential information.

If you think you’re not important enough to be hacked, it can be an ugly surprise to discover that hackers target everyone. The consequences of sloppy hygiene could be your bank account being drained, your Gmail messages or your wedding photos being deleted, or your Facebook account being seized. These things happen to “normal” people every day. The additional effort for a little bit of extra security goes a very long way. The bad guys are often looking for the easiest targets. Making yourself a little harder to attack is the first line of defense.

Print This Post

newest oldest most voted
Well-Beered Englishman

FYI Luhnow has now given an interview to the Houston Chronicle denying the password claim.

“I absolutely know about password hygiene and best practices,” Luhnow said. “I’m certainly aware of how important passwords are, as well as of the importance of keeping them updated. A lot of my job in baseball, as it was in high-tech, is to make sure that intellectual property is protected. I take that seriously and hold myself and those who work for me to a very high standard.”

Nathaniel Dawson
Nathaniel Dawson

Yeah, I find it odd that so many people (including the author of this article) have assumed it was Luhnow’s passwords that were used for the breach. Nowhere in the NY Times article does it say that it was Luhnow’s password. People love to jump to conclusions.

Geoff Harcourt
Geoff Harcourt

Nathaniel, from the NYT article, it certainly looks like the FBI believes that Lunhow or another former Cardinals front office employee’s passwords were used:

Investigators believe that Cardinals personnel, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials when they worked for the Cardinals. The Cardinals employees are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

Lunhow has denied that he used the same password since the article was submitted (I would expect him to do that whether he had changed his password or not) , but the overall point about the importance of password hygiene remains.