‘Hacking’ risks with passwords
Woman robbed in Uber hack (Aug 3) contained a lot of information. But there didn’t seem to be any investigation of how Angela Brooking’s account was actually hacked.
There are only so many ways an online account password can be acquired by a ‘‘hacker’’, and it’s not that hard to work out which it probably was, based on an investigation of how Angela manages and uses her passwords.
The main options are:
1. She used a very weak password (eg top 100), so the hacker guessed it from scratch.
2. She used a moderately weak password (eg top 10000) and Uber is terrible at preventing excessive authentication attacks on one account (unlikely).
3. Uber suffered a breach of its password hash database, and Brooking used a password with fewer than 50 bits of entropy. (If you choose what you think is a ‘‘difficult’’ password that you can actually remember, it almost certainly has fewer than 50 bits of entropy.)
4. Uber stored or leaked passwords in plain text.
5. Brooking used the same password for Uber as for her other accounts (‘‘credential stuffing’’).
6. She has used her password on a computer or phone where the computer or the phone has been fully hacked.
7. Brooking chose a really strong password which was so hard to memorise that she had to write it down on a piece of paper, and a burglar came into her house and read the piece of paper.
8. She entered the password into a website from a link in an email she received (ie phishing attack).
If the explanation was one of items 1, 5, 6, 7 or 8, then the hack is mostly her fault (with the caveat that Uber did suffer a breach in 2016 that included customer emails which could be used in a phishing attack). If it was one of items 2, 3 or 4, then she would be one of very many victims, and it would be mostly Uber’s fault. Philip Dorrell, Brooklyn