Pop Star Tells Fans To Send Their Twitter Passwords, But It Might Be Illegal

Cyrus Farivar, reporting for Ars Technica: As a new way to connect with his fans, Jack Johnson -- one half of the pop-rap duo Jack & Jack, not to be confused with the laid back Hawaiian singer-songwriter of the same name -- has spent the last month soliciting social media passwords. Using the hashtag #HackedByJohnson, the performer has tweeted at his fans to send him their passwords. (Why he didn't go for the shorter and catchier #JackHack, we'll never know.) Then, Johnson posts under his fans' Twitter accounts, leaving a short personalized message, as them. While Johnson and his fans likely find this password sharing silly and innocuous, legal experts say that Jack Johnson, 20, may be opening himself up to civil or criminal liability under the Computer Fraud and Abuse Act, a notorious anti-hacking statute that dates back to the 1980s. "While the entertainer in question likely considers this password collection to be a harmless personalized promotional activity, there may indeed be legal implication of both the fans' and the entertainer's conduct," Andrea Matwyshyn, a law professor at Northeastern University, told Ars.

Nope. This involves active sharing and consent.

[aristotle-dude]

There is no "hacking" involved.

Re:Nope. This involves active sharing and consent.

[The+MAZZTer]

Twitter did not consent.

Re:Nope. This involves active sharing and consent.

If just one of these people get an account "hacked" that uses the same password, who do you think will get blamed and possibly sued?

Re:Nope. This involves active sharing and consent.

Twitter did not consent.

That's irrelevant. That only makes it against their TOS, giving them grounds to terminate the account/service.
However, that doesn't make it any more illegal than me posting an email with my neighbors credentials while fixing/testing his email software.

Re:Nope. This involves active sharing and consent.

Still not a crime based on the Computer Fraud and Abuse Act, just a possible breach of TOS.

Re:Nope. This involves active sharing and consent.

Consent and twitter EULA has nothing to do with it

http://motherboard.vice.com/re...

Re:Nope. This involves active sharing and consent.

CFAA doesn't care about consent. The second a site inserts language in their Terms of Service that users cannot share accounts, any login not from the person who owns the account in question is a violation of CFAA. Wonder why we hate that law so much?

Re:Nope. This involves active sharing and consent.

[Opportunist]

Gosh I hope it didn't trigger them!

Re:Nope. This involves active sharing and consent.

[kheldan]

Just have everyone who decides to share their password with him sign an agreement or waiver of some kind that spells out what it's being shared for, what he can and can't do with it (like change it and not tell them what it's changed to), the duration of his access to their Twitter account, and that they understand that at the end of the term of the agreement, it's their responsibility to change the password to something else. Any judge or jury should understand the difference (and importance) of the 'spirit of the law', and the 'letter of the law', and how the former is what applies here.

Re:Nope. This involves active sharing and consent.

[Opportunist]

But for once this insane law will hit "normal" people instead of just "computer geeks". And since people only start to think about insane laws when they have a "this could have been me!" experience, this might finally get something moving there.

Re:Nope. This involves active sharing and consent.

[Wycliffe]

Twitter did not consent.

It's likely a violation of Twitter's terms of "don't share your password" but that doesn't make it illegal or criminal.
It's stupid to give your password out but to my knowledge not illegal even if it's the password to your bank's website.
You might even be considered an "unauthorized user" from twitter's perspective but by giving you their password,
the end-user has made you the defacto authorized user of that account.

Re:Nope. This involves active sharing and consent.

[vux984]

You might even be considered an "unauthorized user" from twitter's perspective

That is precisely what triggers the fraud and abuse act.

but by giving you their password,
the end-user has made you the defacto authorized user of that account.

The end user is not authorized to do that, per the Terms of Service.

Look, the point is that its is not an open and shut case. There is a valid legal argument, bolstered by recent court rulings that the CFAA can be triggered in this way. The most recent court cases was just such an example of an authorized user sharing their password with an ex-employee. Obviously that's not exactly the same thing.

But its close enough in a lot of ways, the twitter user, like the employee doesn't really 'own the account'. It is assigned to them and they aren't allowed to share it. So if they do share it the person they share it with is NOT an authorized user, and that in theory triggers the CFAA.

Yes, its all kinds of stupid... but the CFAA is all kinds of stupid too.

Re:Nope. This involves active sharing and consent.

[FatdogHaiku]

Twitter did not consent.

Gmail did not consent (and I SURE didn't) when a lady accepted the fB offer to "Help her find her friends" by spamming everyone she had every contacted using Gmail...
BTW, what happens to those lists of contacts once fB has spammed them?
I'll bet they are deleted right away to avoid any appearance of data collection on non-users! Oh, sorry, that cat has been out of the bag for so long I forgot about it...

Re:Nope. This involves active sharing and consent.

[Lumpy]

Does not matter, The morons in Congress will call it a terrorist action and put him in Gitmo for 60 years.

This is the problem when laws are passed by dimwits that can barely tie their shoes in the morning, let alone understand something as complex as a computer or twitter.

Here int he USA we have a major problem. WE allow the very uneducated to be the ruling class, this causes tons of laws that are absurd and applied badly.

Re:Nope. This involves active sharing and consent.

[fahrbot-bot]

Here int he USA we have a major problem. WE allow the very uneducated to be the ruling class, this causes tons of laws that are absurd and applied badly.

Worse than that, we actively vote them into office.

Re:Nope. This involves active sharing and consent.

[phantomfive]

The most recent court cases was just such an example of an authorized user sharing their password with an ex-employee.

How did that turn out?

Re:Nope. This involves active sharing and consent.

Still not a crime based on the Computer Fraud and Abuse Act, just a possible breach of TOS.

Nope, not a breach of the TOS. The TOS just says basically, "protect your password, and if you don't, then any fallout is on you.

Re:Nope. This involves active sharing and consent.

[Wrath0fb0b]

This is not stupid at all. It mirrors the obvious principle that everyone here knows, which is that authorization to use a system does not necessarily confer authorization to authorize additional users. This has been a principle in UNIX since before most of us were born, and it continues to be a principle of every multi-user operating system since. There are distinct privilege levels between user and some form of super-user that has the right to authorize additional users.

Moreover, it's a principle of our daily lives that's so obvious we don't even mention it. I let my neighbor Bob use my pool whenever he wants, but I would be shocked if Jill was using it and just said "Oh yeah, Bob said I could".

There is no reason that the principle of non-delegation (that is to say, without explicit authority granted to delegate) shouldn't apply to the virtual world just as much as it applies everywhere else.

Re:Nope. This involves active sharing and consent.

[Zero__Kelvin]

Twitter didn't agree to allow him to send up to 144 characters to a list of feed subscribers for the purpose of communication? Really?

Re:Nope. This involves active sharing and consent.

[mysidia]

That's irrelevant. That only makes it against their TOS, giving them grounds to terminate the account/service.

It's also against their TOS to login using someone else's credentials, and violating the TOS in that manner may be deemed Wire Fraud under the Act, and Has been before.

See, the Netflix case, where sharing passwords resulted in Jail time, and the Federal Appeals court upheld the password sharing as a Computer Fraud and Abuse Act violation.

Re:Nope. This involves active sharing and consent.

[mysidia]

You might even be considered an "unauthorized user" from twitter's perspective but by giving you their password, the end-user has made you the defacto authorized

This is like handing the keys to your rental car to a stranger on the street and telling them to "have at it". Chances are the rental agreement doesn't allow this, and if they're pulled over driving when you're not there, they can be jailed. Unless you're a high-ranking employee or agent of Twitter, then nothing grants you the right to authorize someone for access to Twitters' systems.

Twitter's servers are not your property, nor is the Account you created on Twitter's systems.

That which is not specifically authorized is unauthorized. A user can be made authorized ONLY with Twitter's consent; usually this occurs when signing up for an account. If the password sharing was specifically admonished against by Twitter, you can imply that to be the Opposite of consent.

Re:Nope. This involves active sharing and consent.

[mysidia]

The users who were tricked to sharing a password aren't necessarily the ones who broke the law, per se, although (I suppose) that argument could be made too, since they "Dealt in means of access" with intent.

However, the Pop Star faces more serious trouble for phishing passwords out of followers and accessing their accounts.

Re:Nope. This involves active sharing and consent.

[vux984]

This is not stupid at all.

Yes, yes it IS stupid.

It mirrors the obvious principle that everyone here knows, which is that authorization to use a system does not necessarily confer authorization to authorize additional users.

But does that principle automatically apply here? Does a normal person *consider* their Twitter account their own property or the property of twiiter. (Not the legalese... but in terms of how they think about and interact with it.)

Moreover, it's a principle of our daily lives that's so obvious we don't even mention it. I let my neighbor Bob use my pool whenever he wants, but I would be shocked if Jill was using it and just said "Oh yeah, Bob said I could".

Exactly right. Its clearly your property, and your delegate has clearly exceeded his authority according to all social conventions. That would be quite the faux pas, and you'd be rightfully upset.

There is no reason that the principle of non-delegation (that is to say, without explicit authority granted to delegate) shouldn't apply to the virtual world just as much as it applies everywhere else.

It doesn't automatically apply everywhere else. It applies when the property being delegated is recognized as belonging to someone else. It doesn't apply when the property being delegated is recognized as belonging to me. The legalese underneath the transaction may cement that status, but socially what matters is how we perceive the property.

Bob's using YOUR pool. That is the social convention (and the legal reality) of the situation.

If I give you social media account password. Am I giving you access to MY account? Or am I giving you access to a (for example) twitter account that twitter lets me use?

Legally its probably the latter, but that's not how ANYBODY thinks about it. They think of it as THEIR OWN twitter account.

They'll say it's 'my account'; they'll complain 'my account was hacked'... everything surrounding it is framed in that sense of ownership.

The same way they think about their TV service, their cellular phone service, their steam account... that the account "belongs" to them, and they don't give a 2nd thought to whether their friends or guests or babysitters or whatever can watch their TV, or borrow their phone to make a call, or play some video games on my account.

Or even their bank account. People think of that as their property too. It gives them access to their money. Its not the banks money!! It's mine. The password is also mine. I chose it, and the bank shouldn't even know what it is. etc etc.

Yes legally, and when you get deep into it... the money is mine, but the servers are theirs. And the account is permission from them to use their servers using my chosen credential to access the money I entrusted them to hold for me... etc etc.

But if it ever came down to it, and I wanted to give someone my bank account password for some reason, my only thought would be in terms of the risk that represents to the security of MY money. I wouldn't give a 2nd thought to whether or not I had the right to delegate access to the banks servers.

Likewise with twitter... my only consideration in giving out my password would be the risk it represented to my 'reputation', the potential for greif to me from what they might say with it... etc.

The notion that I would be delegating access to twitter's server infrastructure in a way analogous to Bob letting Jill use your pool...? That would NOT be a consideration at all. No normal person thinks of their twitter account in that sense. (even if technically and legally that's what it is.)

Re:Nope. This involves active sharing and consent.

[Threni]

No need. If you give someone your password you're letting them do what they want with your account. If you didn't want that, you shouldn't have given them your password. There's no point labouring the point with a contract. And i've no idea where you got the idea that the spirit of the law is important; that's what laws are for.

Re:Nope. This involves active sharing and consent.

[kheldan]

And i've no idea where you got the idea that the spirit of the law is important; that's what laws are for.

Are you trolling? You must be, or you're hopelessly pedantic and literal. If all there was, was just the strict interpretation of the law, then the entire country would be one huge prison. Judges and juries exist in part to interpret the law and make appropriate judgements, not just mechanically apply potentially flawed, certainly imprecise text authored by potentially flawed, certainly imprecise biological brains.

Re:Nope. This involves active sharing and consent.

If it's against their TOS, the access is unauthorized. If it's unauthorized, it's illegal.

The law is old and poorly written, even for its time.

Re:Nope. This involves active sharing and consent.

[BarbaraHudson]

Who cares who's server the account is hosted on? Seriously - the user is authorized to use that account by Twitter. The user gives authorization to someone else for their account. End of story. Twitter should just f*ck off and die, along with all the idiots who take it so seriously.

Re:Nope. This involves active sharing and consent.

The Twitter TOS doesn't mention anything to say you can't share your password/account. The only thing that lists anything close is a section that talks about that you need to safe guard your password and if you don't they aren't liable for anything that occurs.

Using a public service like twitter isn't in the same ball park as having a private account at a company where you most likely did sign an agreement that said something like 'you will not share company secrets' your company password would be classified as a company secret. This is the same reason why Manning, Snowden and even Hillary should be prosecuted, they signed an agreement to keep the information that was given to them private and they disclosed it. Where as reporters can argue that the information they leak deserved public attention as that information was already 'public' as it was in their hands.

Re:Nope. This involves active sharing and consent.

[vux984]

Using a public service like twitter isn't in the same ball park as having a private account at a company where you most likely did sign an agreement that said something like 'you will not share company secrets' your company password would be classified as a company secret.

You are right, but that's kind of the point here -- while you and might see them as very different thing (and indeed most people do) ... the CFAA doesn't differentiate.

Re:Nope. This involves active sharing and consent.

[Lumpy]

Which is very telling as to the general IQ level of the american populace.

Our public education system is breeding generations of morons.

Re:Nope. This involves active sharing and consent.

[Wrath0fb0b]

But does that principle automatically apply here? Does a normal person *consider* their Twitter account their own property or the property of twiiter.

No one is talking about ownership of the account, if that's even a well-formed concept. It doesn't matter either way, because what we are talking about is Twitter's actual physical servers.

Twitter has authorized everyone to connect to their servers to do certain operations (like read all tweets)
Twitter has authorized person A to use their physical servers to do other operations (like write a tweet or a DM). To enforce this authorization, Twitter and A agree an authentication token (password, whatever).
Twitter has not authorized person A to authorize new users to those protected operations on those servers.

They'll say it's 'my account'; they'll complain 'my account was hacked'... everything surrounding it is framed in that sense of ownership.

Indeed. And perhaps we can say that you have some ownership interest in the data present in the account and it's social status. But that ownership interest obviously doesn't extend to any sort of ownership in the server that hosts it.

By comparison, I might own all the items in my safe deposit box at the bank. But clearly I don't own the bank, or even the bank lobby. And yet I cannot access my owned items except by using the bank's property.

The notion that I would be delegating access to twitter's server infrastructure in a way analogous to Bob letting Jill use your pool...? That would NOT be a consideration at all. No normal person thinks of their twitter account in that sense. (even if technically and legally that's what it is.)

Well, OK. Then legally a legal court of law will come to a different legal conclusion than a person with no technical or legal expertise might come to. Also, civil engineer might build a bridge differently than a normal person would. News at 11!

Re:Nope. This involves active sharing and consent.

[vux984]

By comparison, I might own all the items in my safe deposit box at the bank. But clearly I don't own the bank, or even the bank lobby. And yet I cannot access my owned items except by using the bank's property.

Not a bad example. And likewise, if I wanted to send someone to the bank to retrieve or add to the contents of the safety deposit box, that would be my prerogative.

Well, OK. Then legally a legal court of law will come to a different legal conclusion than a person with no technical or legal expertise might come to.

Where the law varies significantly from people's expectations is where conflict arises, and the law is usually wrong or ultimately unenforceable, because society en masse simply ignores the law.

The law ultimately is supposed to reflect and enforce the social contract, not the other way around.

Also, civil engineer might build a bridge differently than a normal person would. News at 11!

Of course. But if the normal people couldn't cross the bridge, and kept hurting themselves on it, falling off of it, etc, etc ... because it didn't conform to their expectations of how to use a bridge, then the civil engineer failed.

The CFAA is a such a failure.

Re:Nope. This involves active sharing and consent.

[david_thornley]

There was a recent court decision, discussed here, which emphasized that access without following the TOS is not unauthorized access as far as the CFAA goes.

Re:Nope. This involves active sharing and consent.

[Wrath0fb0b]

Not a bad example. And likewise, if I wanted to send someone to the bank to retrieve or add to the contents of the safety deposit box, that would be my prerogative.

I agree and I don't agree. You have the power delegate authority to add or remove items from the box. That is surely your prerogative. So if you fall ill or move to another country, surely you can delegate your rights over the box itself to Bob.

The part where I don't agree is the idea that your authorization to Bob in any way impacts whether he is allows to use the bank lobby to access the box. Under no feasible reading of the safe-deposit-box-owner-protocol did you ever possess any authority over the bank lobby. As a consequence of not possessing those rights, you cannot delegate them to anyone.

For instance, if Bob was previously a nuisance at the bank lobby (say, he leafleted customers with Hare Krishna materials) and they served him official trespass notice, then he cannot set foot in the bank again. You can delegate to him rights over the box all you want, he still can't use the lobby.

Where the law varies significantly from people's expectations is where conflict arises, and the law is usually wrong or ultimately unenforceable, because society en masse simply ignores the law.

Really? I'm wondering how this could be true. Most people expect cantilever bridges to be stronger than suspension bridges because they intuitively (and incorrectly) believe that materials are stronger under shear than under tension. But surely material science is not something that society has the right to "simply ignore" because it violates their expectations.

If we let social expectations dictate bridge design (or medical practice, or ....), people would die. Instead, we have democratically accountable leaders that delegate technical decision making to people with subject domain expertise.

Legal or not, stupid for sure

This is absurd are people really doing this? what sad kind of vanity or fanaticism drives this stupidity

Re:Legal or not, stupid for sure

Absurd? It is a twitter account. Only a twitter account. Not something that matters the least. No money involved in any way or form. The only 'bad' that can happen here is that password guy may make the account owner seem stupid - but they already consented to that so . . .

Re:Legal or not, stupid for sure

[Austerity+Empowers]

Possibly absolute lack of concern over their twitter accounts which are utterly worthless, disposable beasts.

Um, what? It isn't that scary of a law

It sounds like authorization is being granted. Unless it can be proven that the account was hacked prior and that hacker sent him the password. I believe we are being trolled by masturbating lawyers. They should just post to pornhub....

Re:Um, what? It isn't that scary of a law

[93+Escort+Wagon]

No, we're being trolled by a law school professor who's trying to get some media exposure - and she's being aided and abetted by some person trying to get a paid at Ars Technica.

Re:Um, what? It isn't that scary of a law

[thegarbz]

Is a troll really a troll when they point out laws that are frequently used to abuse common sense?

Why stop there?

[freeze128]

Give Jack your credit card number and ATM PIN to get a customized message from your bank about how you don't have any money anymore.

Re:Why stop there?

[Coisiche]

The fans of this Jack (whom I've never heard of) probably won't have much worth stealing. What you want to do is persuade them to get account numbers and PINs of their parents. They'd probably do it for something trivial in return, like a signed photo or, as stated, a personalized message in social media.

And why was the password required anyway? If you have less than 50 followers on Twitter, which I assume would be the case for most people, then any mention of your @accountname stands out. Although there is a risk of missing something if you assume, like I do, that any mention is spam because they usually are.

Re:Why stop there?

[omnichad]

And why was the password required anyway?

It really wasn't, since they could have granted posting privileges via OAuth without giving away the password. Don't pop stars have marketing teams to help them with technical details of this sort of thing?

Re:Why stop there?

[thegarbz]

Give Jack your credit card number and ATM PIN to get a customized message from your bank about how you don't have any money anymore.

Because there's an order of magnitude difference in affect on a person. That's why you would stop there. Jack can have my Twitter login, because I don't give a shit. The same can't be said about my bank account.

They're all sharing a "digital needle"

and the moment it gets leaked that Jack Johnson has "digital AIDS," Dawrin gets to say "I told you so" once again.

Clinton VP vetting was doing same

[schwit1]

Report: Clinton Made VP Finalists Turn Over Every Social Media Password for Each Member of Family and More

Re:Clinton VP vetting was doing same

[__aaclcg7560]

Vice President of the United States isn't your garden variety job. If this was an ordinary job that demanded my social media passwords, I would say, "Oh, hell no!"

On a related note, I'm still waiting for Donald Trump to release his tax returns.

Re:Clinton VP vetting was doing same

And I'm still waiting for Hillary to reveal who's all donated to the "Clinton Foundation", her secondary bank account she pretends is a charity.

Re: Clinton VP vetting was doing same

No sane prosecutor would prosecute that violation of the CFAA.

Re:Clinton VP vetting was doing same

[__aaclcg7560]

And I'm still waiting for Hillary to reveal who's all donated to the "Clinton Foundation", her secondary bank account she pretends is a charity.

Under the law, the Clinton Foundation is a charity.

https://www.501c3.org/what-is-a-501c3/

Re:Clinton VP vetting was doing same

[PPH]

Family members? I wonder how that would go over with adult children.

"Son. I need to turn over your passwords in order to apply as Clinton's VP."

"Fuck you, dad. By the way, I'm voting for Trump."

Re:Clinton VP vetting was doing same

[schwit1]

The OP is about the legality of sharing credentials. The legality should not change based upon a perceived justification.

Re:Clinton VP vetting was doing same

Still a violation of terms of service agreements.

Re: Clinton VP vetting was doing same

when has sanity overridden a political agenda?

Hypothesis for the love of hypothesising?

He is opening himself up for lawsuits, not just under the Computer Fraud and Abuse Act, IF/WHEN his password stash ends up with other people, or if he starts doing actual abuse to the users who shared passwords with him (like, say, post more than just what he said he'd post).

Until that happens, besides using the word "hacked" there's no abuse or fraud going on here.

Smart people would change their passwords for the duration and give him these passwords, then change back once the message is in. Yeah, I kid myself. Smart people. On the Internet :)

Re:Hypothesis for the love of hypothesising?

[dcollins117]

Smart people would change their passwords for the duration and give him these passwords, then change back once the message is in.

Smart people would ignore the whole matter and find another means to entertain themselves.

Jack Johnson?

If my wife is away for the weekend, sure.

Dude ought to change his name.

Re: Jack Johnson?

Woody! I wonder if he watches Woody Hareldon movies. Sorry, I didn't mean to be a dick.

If you think Twitter is bad...

[__aaclcg7560]

I've worked at many Fortune 500 companies in Silicon Valley. Each one has the same policy that users aren't supposed to share or write down their passwords. As an IT support technician, I had to prevent people from telling me their passwords. It never fails that find someone's password written on a Post-It note on their monitor or underneath their keyboard. Whenever a user compromises their password, I set their AD account to change password on next login. They always get mad at me when they have to change their password.

Re:If you think Twitter is bad...

What about when you forget to finish wiping your chin whenever you walk out of HR? Do they get mad then?

Re:If you think Twitter is bad...

[Frosty+Piss]

As an IT support technician, I had to prevent people from telling me their passwords. It never fails that find someone's password written on a Post-It note on their monitor or underneath their keyboard. Whenever a user compromises their password, I set their AD account to change password on next login

So, when you are talking to a non-IT / non-IT savvy network user who has to "remember" 20 (and that's not a high number for some folks) different UID/PAS combos, what exactly is your suggestion beyond writing it down and securing the written source?

This is an honest question that should not be poo-pooed by the "leet IT Dudes" as the fallout of moron netwrok users...

Re:If you think Twitter is bad...

[__aaclcg7560]

What about when you forget to finish wiping your chin whenever you walk out of HR? Do they get mad then?

Your question makes no sense whatsoever. I haven't stepped inside an HR department in 20+ years, as most Fortune 500 companies have outsourced HR to outside agencies.

Re:If you think Twitter is bad...

People who work at companies follow company policy - or their job is in danger. That is important to people. Break twitter rules, and only your twitter account is in danger. Might be irritating to loose an account, but lots of people do fine without twitter accounts, so . . .

Re:If you think Twitter is bad...

[__aaclcg7560]

So, when you are talking to a non-IT / non-IT savvy network user who has to "remember" 20 (and that's not a high number for some folks) different UID/PAS combos, what exactly is your suggestion beyond writing it down and securing the written source?

That's an extremely high number of combos. Most jobs that I had only required a single password. My current job has two-factor authentication: Windows login is a PIV card with a PIN, and administrator account has a security login with a complex passwords.

Re:If you think Twitter is bad...

[PPH]

Most jobs

People have passwords for things other than their job. Hopefully, they don't use the same one for their DoD job and Slashdot.

I have 110 uid/passwords for various accounts (everything from banking to Netflix) stored safely (encrypted, pass-phrase protected) on a portable device.

Re:If you think Twitter is bad...

[Frosty+Piss]

Most jobs that I had only required a single password.

You are the exception. Many jobs require indevidual logins to many systems. I've had as many as 25, though right now it's 10. Yes, I write them down.

Re:If you think Twitter is bad...

[__aaclcg7560]

People who work at companies follow company policy - or their job is in danger.

I never heard of anyone getting fired for abusing the password policy.

Re:If you think Twitter is bad...

[Frosty+Piss]

Hopefully, they don't use the same one for their DoD job and Slashdot.

My DoD CAC pin is 123456. My Slashdot pass is a little more secure.

Re:If you think Twitter is bad...

[Cro+Magnon]

I think I had one password back in 1986. Since then, I've kept getting more. They've gone down recently, with a lot of stuff accessible via Lincpass, but I've still got a whole slew of work pws for various systems. Not to mention several slews of non-work pws.

Re:If you think Twitter is bad...

computer, accounting system, buying group website, several vendors websites, IRS, IRS online pay, State tax account, State License dept, banking, MyFax, ebay, craigslist, amazon, Fedex, Merch acct, email acct, Godaddy.com. There's about 20 without trying. Small business doesn't get someone to do each job, those are all on my list :(

Re:If you think Twitter is bad...

[__aaclcg7560]

Small business doesn't get someone to do each job, those are all on my list :(

How does this relate to my comment about Fortune 500 companies where the average worker typically has a single login credential?

Re:If you think Twitter is bad...

[gosand]

Well, all this IT tech has done is forced the user to come up with a new password and WRITE IT DOWN ON ANOTHER POST-IT. He may think he is being clever, but what he has done is ensure that they will just do it again because it's a new password.

What he should do is come up with a method by which they can create a secure password and write down the hint to remember it, and distribute that process to everyone. In other words, TEACH them how to do good passwords.

1. Think of a very memorable event in your life.
2. Come up with a password based on that event.
3. Make it follow convention. (e.g. capitals, letters, length, etc)
4. Make it able to be changed easily without changing the event.

Example: My dog Daisy died in 1998
password: DaisyRIPxx98

Now when you have to change it in the future, you could "increment" the xx to yy, then zz, etc.
Or you could increment the 98 to 99, 100, etc. Or better yet both.

So next password is DaisyRIPyy99, then DaisyRIPzz00, then DaisyRIPaa01, ......
The user can write down a hint "puppy c3" in plain sight, and without knowing the scheme, nobody would ever be able to guess it. (in this case, DaisyRIPcc03)

Re:If you think Twitter is bad...

[Frosty+Piss]

1. Think of a very memorable event in your life.
2. Come up with a password based on that event.
3. Make it follow convention. (e.g. capitals, letters, length, etc)
4. Make it able to be changed easily without changing the event.

Example: My dog Daisy died in 1998
password: DaisyRIPxx98

Nice.

Remember that through 20 permutations associated with 20 random user accounts.

Like I said, I write them down and secure them. No "hacker" is going to break into my office and pry open my desk. And if they do? They can have 'em, not that important, they would find out how to hack in anyway.

Re:If you think Twitter is bad...

[idji]

Use a password vault like keepass, or let your browser handle it like firefox or chrome, or icloud or your iphone.

Re:If you think Twitter is bad...

Another person used the term 'password vault' but I've more commonly heard them called 'password manager'. That's exactly what they do: manage passwords.

In Keepass' case, it can type your username/password in for you as well, it can generate random passwords, it can remind you to update passwords periodically (this is opt-in, so it's not going to bombard you with annoying notifications), etc. There's a lot of options and features at this point.

After using Keepass for a while, I've become accustomed to not knowing any of my passwords. All of my passwords are unique and randomly generated. Everything about Keepass is opt-in, so you don't have to just jump in and start generating high entropy passwords with periodic change notifications. You can start by recording all your current passwords as they are and go from there. Putting your passwords in a password manager is a lot like writing them on post-it notes, except now when you're not looking at them or away from your desk, they'll be encrypted with AES-256.

I was able to get my dad, who is 56 years old and not IT-savvy, to use Keepass (or other password manager...I just happen to like Keepass) and he's pretty fluent in it. If you're embedded in technology enough to have 20 different critical accounts, then it's really something you should invest the time to learn.

Re:If you think Twitter is bad...

Lol. WOOSH

Re:If you think Twitter is bad...

[__aaclcg7560]

Please explain. As I pointed out in my previous comment, I haven't stepped inside an HR office in 20+ years. I don't understand why I would have to wipe off my chin from stepping out of the HR office.

Re:If you think Twitter is bad...

Of course I write down passwords.

They are on a file, protected by my login password on that machine. So I need only one password to access everything. And sure, if someone crack that password, they can find that file. Doesn't make it any less secure than a more sophisticated single sign-on solution though.

Unlike post-it notes, someone who stumbles into my office can't see that file.

Re:If you think Twitter is bad...

So next password is DaisyRIPyy99, then DaisyRIPzz00,

Stop it. You are not supposed to have a "next" password. A "change passwords regularly policy" is the biggest security hole there is. Most people don't come up with clever schemes, and cannot remember new complicated passwords all the time. Hence a lot of very easily cracked passwords in use.

Let people come up with a long ugly password, and stick to it for decades. Yes, decades! A password that is changed regularly gives no extra security, because a hacker only need to guess the password that is in effect right now. The fact that you changed the password yesterday doesn't make it harder to crack today. Usually easier, because most people don't come up with lots of good passwords. (And changing passwords does not shut out those that got in guessing the previous password. Anyone serious who gets in installs a rootkit/backdoor so he won't need to keep up with your password games.)

Re:If you think Twitter is bad...

I never heard of anyone getting fired for abusing the password policy.

Only if they set a password to "1234" and it get abused to transfer money out of the company. Lesser abuses of password policy won't get you fired automatically - you probably are valuable to the company. But a manager who needs excuses for who to promote and who to downsize, may use things like that against you.

Re:If you think Twitter is bad...

[gosand]

True, to some degree... I only use this type of naming scheme where I am required to change my password - which is pretty much everywhere except on things that I control. Sometimes you have to deal with reality, and that means having to change your password. Is DaisyRIPyy99 harder to crack than DaisyRIPzz00? Not at all, but it is a method to help the user remember it.

Re:If you think Twitter is bad...

[gosand]

I am not an admin, I only need to remember my passwords. Personally, I have a less-secure "story" and a more-secure "story". So I basically have 2 variations on the story behind my passwords. That doesn't mean I have only 2 passwords of course. So even if someone cracked one of my passwords they would be able to guess my others. And I have been using the secure scheme since 1996. The password looks totally random, but I know the story behind it, and remember the variations I made. So I can write down a single letter (or number) and know what the password is.

I think my point is that people need to THINK about their passwords, and make it unguessable yet something they can write down reminders for without compromising the guessability. Now making it 'uncrackable' is a different story completely.

you've got to be kidding.

The rank stupidity surrounding the CFAA would be humorous if it wasn't so destructive. Giving your password to someone, giving an incomplete/inaccurate name, violating a TOS, jumping onto an unsecured wi-fi, etc isn't "unauthorized access" punishable by decades in prison. The entire act should be torched, it has simply become a catchall law for prosecutors who want to prosecute someone for something and there happened to be an electronic device, ANY modern electronic device (if it "perform[s] arithmetic, logical, and storage functions" per SCOTUS) somewhere in the mix.

b. b. b. b but, It's illegal...

[bugs2squash]

if this is the most illegal thing young people are doing today then it seems like a good deal to me. Let the law professor talk it up as a high crime and let the kids revel in their their forbidden fun.

I doubt it's illegal.

I doubt it's illegal because the users are willingly sharing the passwords so anything that happens is their liability. May be legal, but anyone who consents to this is a fucking idiot.

Re:I doubt it's illegal.

[PPH]

I create a Twitter account expressly for this purpose. I send Mr Johnson my password. I now have deniability for anything else done using this account (as long as I obfuscate other identifying details such as my IP).

Dumb on two counts

[wardrich86]

1. If he asks for your password, and you provide it... there's really no unlawful action there. He didn't force you to give it to him, and you had all the power and right in the world to not be an idiot and toss it out there. I wonder how long before somebody hacks Jack's email and scoops up all those yummy accounts.

2. You fucking gave the guy your password. That's not hacking. He needs to change his hashtag to #PostedByJohnson or #ThisUserWasDumbEnoughToGiveMeTheirPassword

Re:Dumb on two counts

[Registered+Coward+v2]

1. If he asks for your password, and you provide it... there's really no unlawful action there. He didn't force you to give it to him, and you had all the power and right in the world to not be an idiot and toss it out there. I wonder how long before somebody hacks Jack's email and scoops up all those yummy accounts. 2. You fucking gave the guy your password. That's not hacking. He needs to change his hashtag to #PostedByJohnson or #ThisUserWasDumbEnoughToGiveMeTheirPassword

While I agree with your common sense approach, the law may see things differently. If Twitter decided it was an unauthorized use, as they define unauthorized based on their TOS, someone could be charged. It would be a stupid waste of time and one would hope a judge, after he or she stopped laughing, tossed the case. It does illustrate how something that would be considered normal in the physical world, i.e. I give you the key to my diary to let you write in it, could be illegal in cloud space where you don't own the diary and thus someone else controls how you may use it and who may use it.

Re:Dumb on two counts

[wardrich86]

Likewise, if you ask me if you can punch me in the face, and I say yes, I can't press charges.

Re:Dumb on two counts

It's *your* face though. "Your" twitter account doesn't actually belong to you - it's just something twitter lets you use on their servers.

This is more akin to letting someone else drive the company car. It's not *your* car to loan out

Re:Dumb on two counts

"the law may see things differently"

Not "may", DOES. There is at least one actual case where someone shared a password with someone else and the person who was using that password was charged and convicted under the CFAA.

http://fortune.com/2016/07/10/sharing-netflix-password-crime/

Re:Dumb on two counts

Just like if you ask me to shoot you in the face, and I say yes, no one can press me for murder charges? Wrong. The difference is in who is pressing the charges. If it's a federal crime, the state can press charges against you without the victim's consent. See a bunch of rape cases as examples where the ladies decided to drop the charges but the state continued anyway.

In this case, it's against Twitter's ToS to share passwords. That''s not a but deal, no federal crimes are being broken. Twitter could shutdown your account, not a big deal. The big deal is when someone uses those credentials. That becomes unauthorized access to a computer system which is a federal crime. According to their ToS, you're not allowed to authorize other people to access your account. Sharing a password and actually logging in with that password are two completely different things. Sharing passwords wasn't made a federal crime. The government can decide to press charges against Johnson with or without Twitter's or the users' consent.

JackHack

[fahrbot-bot]

Why he didn't go for the shorter and catchier #JackHack, we'll never know.

Saving that for when headphone jacks disappear from smartphones.

HACKED BY 'JOHNSON'

[Jeremiah+Cornelius]

"That's what SHE said!"

Jack Johnson

[doconnor]

I don't know any of those Jack Johnsons. The only one I know is the Futurama Presidential candidate Jack Johnson who ran against his rival and clone, John Jackson.

Re:Jack Johnson

[magarity]

The only Jack Johnson I know of is the boxer in The Legend of the Titanic.

Proves 2 things

1) Clearly the law is over broad IF it could be applied here
2) His fans are IDIOTS.

#JackHack

[jon3k]

Because a "JackHack" sounds like a masturbation shortcut.

Why does it have passwords at all?

[gurps_npc]

Seriously - why do things like Twitter need a password? It's not an email account, it's not that hard to hack and no body is going to lose anything important if someone else takes their twitter account.

Re: Nope. This involves active sharing and consent

ah but its against tos.

you know, basically schwarz.

unauthorized access. slammer. federal crime. the law is that stupid.

a Hacked what?

Yeah Hackedbyjohnson sounds bad but
A hacked Johnson would be way worse.
I'll let myself out.

I Don't Get It

Seriously, I don't get it. I understand this is supposed to be a lark, what I don't understand is, how is this a lark??

Is it just doing something that is normally forbidden by authority figures? Will Jack Johnson (and you know it won't really be him) post some amusing Tweet from your account? Are they messing with online identities?

Presidential response

[theendlessnow]

Donald says email your passwords to him. Hillary says, no email, no way. Please never email anything to her... EVER.

Re: Nope. This involves active sharing and consent

Name one uneducated member of Congress. Most members are over 50 which means their education predates the personal computer.

Hacking

If TPTB say it's illegal, then it doesn't if there's a law or not, at least that's the impression I've gotten over the last decade or two.

Social Engineering is absolutely Hacking.

Social Engineering is absolutely Hacking.

Sheesh, the level of historical knowledge here is absolutely dreadful.

Don't some websites work this way?

[safetyinnumbers]

Some website services require you to provide your password to some other site to work. For example, email filtering or some finance sites.

I know that when done correctly the site provides an authentication token, but the old-style approach was to just require you to provide your mail or bank's password.

Re: Nope. This involves active sharing and consent

[Khyber]

That means they're not educated enough regarding the modern world, and are entirely unfit for office in a modern world.

Rap fans are complete idiots

This proves it without any doubt. Rap on, you fucking morons.

Password changes

[phorm]

People in my company - including the non-geeks - seem to manage OK without writing them down on a postie. This is with a policy requiring passwords be changed every few months and have a certain complexity.

Sometimes you forget and need to get the password reset, but in general most people seem to be smarter than you credit them for.

If you have trouble remembering, go for something based on a phrase or a common variation for different services.

Re:HOW NOTORIOUS THOUGH

-1 means it is important. 5 is either funny or got hit by a corporate PR service.

Fucking bullshit.

You dont hack if you are given the password.
Jack me off mother fucker.

Re: Nope. This involves active sharing and consent

It's partially authorized.

Whatever

If the twits are handing out their passwords they deserve what they get.

Credit

Do you want to increase your credit scores?, Do you need know your current score. While the Federal Trade Commission requires each of the three national credit reporting agencies â" Experian, Equifax, and TransUnion â" to supply you with an annual credit report, these reports donâ(TM)t provide your actual credit score. While there are several ways to get your score, . Youâ(TM)ll also receive free monitoring and alerts whenever something changes. With that being said, Alpha credit services monitors reports from all three credit bureaus. Plus, we can monitors your social security number, public records. If you are having issues with how to fix your credit then you contact Alphacreditservices@groupmail.com or message @ 917-722-9789