Pop Star Tells Fans To Send Their Twitter Passwords, But It Might Be Illegal (arstechnica.com)

← Back to Stories (view on slashdot.org)

Pop Star Tells Fans To Send Their Twitter Passwords, But It Might Be Illegal (arstechnica.com)

Posted by msmash on Tuesday July 26, 2016 @04:00AM from the topsy-turvy-world dept.

Cyrus Farivar, reporting for Ars Technica: As a new way to connect with his fans, Jack Johnson -- one half of the pop-rap duo Jack & Jack, not to be confused with the laid back Hawaiian singer-songwriter of the same name -- has spent the last month soliciting social media passwords. Using the hashtag #HackedByJohnson, the performer has tweeted at his fans to send him their passwords. (Why he didn't go for the shorter and catchier #JackHack, we'll never know.) Then, Johnson posts under his fans' Twitter accounts, leaving a short personalized message, as them. While Johnson and his fans likely find this password sharing silly and innocuous, legal experts say that Jack Johnson, 20, may be opening himself up to civil or criminal liability under the Computer Fraud and Abuse Act, a notorious anti-hacking statute that dates back to the 1980s. "While the entertainer in question likely considers this password collection to be a harmless personalized promotional activity, there may indeed be legal implication of both the fans' and the entertainer's conduct," Andrea Matwyshyn, a law professor at Northeastern University, told Ars.

73 of 116 comments (clear)

Min score:

Reason:

Sort:

Nope. This involves active sharing and consent. by aristotle-dude · 2016-07-26 04:07 · Score: 5, Insightful

There is no "hacking" involved.

--
Jesus was a compassionate social conservative who called individuals to sin no more.
1. Re:Nope. This involves active sharing and consent. by Anonymous Coward · 2016-07-26 04:15 · Score: 2, Insightful
  
  Twitter did not consent.
  That's irrelevant. That only makes it against their TOS, giving them grounds to terminate the account/service.
  However, that doesn't make it any more illegal than me posting an email with my neighbors credentials while fixing/testing his email software.
2. Re:Nope. This involves active sharing and consent. by Anonymous Coward · 2016-07-26 04:15 · Score: 1
  
  Still not a crime based on the Computer Fraud and Abuse Act, just a possible breach of TOS.
3. Re:Nope. This involves active sharing and consent. by Anonymous Coward · 2016-07-26 04:20 · Score: 1
  
  CFAA doesn't care about consent. The second a site inserts language in their Terms of Service that users cannot share accounts, any login not from the person who owns the account in question is a violation of CFAA. Wonder why we hate that law so much?
4. Re:Nope. This involves active sharing and consent. by Opportunist · 2016-07-26 04:22 · Score: 1
  
  Gosh I hope it didn't trigger them!
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
5. Re:Nope. This involves active sharing and consent. by kheldan · 2016-07-26 04:22 · Score: 1
  
  Just have everyone who decides to share their password with him sign an agreement or waiver of some kind that spells out what it's being shared for, what he can and can't do with it (like change it and not tell them what it's changed to), the duration of his access to their Twitter account, and that they understand that at the end of the term of the agreement, it's their responsibility to change the password to something else. Any judge or jury should understand the difference (and importance) of the 'spirit of the law', and the 'letter of the law', and how the former is what applies here.
  
  --
  Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
6. Re:Nope. This involves active sharing and consent. by Opportunist · 2016-07-26 04:24 · Score: 5, Insightful
  
  But for once this insane law will hit "normal" people instead of just "computer geeks". And since people only start to think about insane laws when they have a "this could have been me!" experience, this might finally get something moving there.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
7. Re:Nope. This involves active sharing and consent. by Wycliffe · 2016-07-26 04:24 · Score: 1
  
  Twitter did not consent.
  It's likely a violation of Twitter's terms of "don't share your password" but that doesn't make it illegal or criminal.
  It's stupid to give your password out but to my knowledge not illegal even if it's the password to your bank's website.
  You might even be considered an "unauthorized user" from twitter's perspective but by giving you their password,
  the end-user has made you the defacto authorized user of that account.
8. Re:Nope. This involves active sharing and consent. by vux984 · 2016-07-26 04:39 · Score: 5, Interesting
  
  You might even be considered an "unauthorized user" from twitter's perspective
  That is precisely what triggers the fraud and abuse act.
  
  but by giving you their password,
  the end-user has made you the defacto authorized user of that account.
  The end user is not authorized to do that, per the Terms of Service.
  Look, the point is that its is not an open and shut case. There is a valid legal argument, bolstered by recent court rulings that the CFAA can be triggered in this way. The most recent court cases was just such an example of an authorized user sharing their password with an ex-employee. Obviously that's not exactly the same thing.
  But its close enough in a lot of ways, the twitter user, like the employee doesn't really 'own the account'. It is assigned to them and they aren't allowed to share it. So if they do share it the person they share it with is NOT an authorized user, and that in theory triggers the CFAA.
  Yes, its all kinds of stupid... but the CFAA is all kinds of stupid too.
9. Re:Nope. This involves active sharing and consent. by FatdogHaiku · 2016-07-26 04:46 · Score: 2
  
  Twitter did not consent.
  Gmail did not consent (and I SURE didn't) when a lady accepted the fB offer to "Help her find her friends" by spamming everyone she had every contacted using Gmail...
  BTW, what happens to those lists of contacts once fB has spammed them?
  I'll bet they are deleted right away to avoid any appearance of data collection on non-users! Oh, sorry, that cat has been out of the bag for so long I forgot about it...
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
10. Re:Nope. This involves active sharing and consent. by Lumpy · 2016-07-26 04:51 · Score: 1
  
  Does not matter, The morons in Congress will call it a terrorist action and put him in Gitmo for 60 years.
  This is the problem when laws are passed by dimwits that can barely tie their shoes in the morning, let alone understand something as complex as a computer or twitter.
  Here int he USA we have a major problem. WE allow the very uneducated to be the ruling class, this causes tons of laws that are absurd and applied badly.
  
  --
  Do not look at laser with remaining good eye.
11. Re:Nope. This involves active sharing and consent. by fahrbot-bot · 2016-07-26 04:58 · Score: 2
  
  Here int he USA we have a major problem. WE allow the very uneducated to be the ruling class, this causes tons of laws that are absurd and applied badly.
  Worse than that, we actively vote them into office.
  
  --
  It must have been something you assimilated. . . .
12. Re:Nope. This involves active sharing and consent. by phantomfive · 2016-07-26 06:20 · Score: 1
  
  The most recent court cases was just such an example of an authorized user sharing their password with an ex-employee.
  How did that turn out?
  
  --
  "First they came for the slanderers and i said nothing."
13. Re:Nope. This involves active sharing and consent. by Wrath0fb0b · 2016-07-26 06:45 · Score: 1
  
  This is not stupid at all. It mirrors the obvious principle that everyone here knows, which is that authorization to use a system does not necessarily confer authorization to authorize additional users. This has been a principle in UNIX since before most of us were born, and it continues to be a principle of every multi-user operating system since. There are distinct privilege levels between user and some form of super-user that has the right to authorize additional users.
  Moreover, it's a principle of our daily lives that's so obvious we don't even mention it. I let my neighbor Bob use my pool whenever he wants, but I would be shocked if Jill was using it and just said "Oh yeah, Bob said I could".
  There is no reason that the principle of non-delegation (that is to say, without explicit authority granted to delegate) shouldn't apply to the virtual world just as much as it applies everywhere else.
14. Re:Nope. This involves active sharing and consent. by Zero__Kelvin · 2016-07-26 06:47 · Score: 1
  
  Twitter didn't agree to allow him to send up to 144 characters to a list of feed subscribers for the purpose of communication? Really?
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
15. Re:Nope. This involves active sharing and consent. by mysidia · 2016-07-26 07:03 · Score: 1
  
  That's irrelevant. That only makes it against their TOS, giving them grounds to terminate the account/service.
  It's also against their TOS to login using someone else's credentials, and violating the TOS in that manner may be deemed Wire Fraud under the Act, and Has been before.
  See, the Netflix case, where sharing passwords resulted in Jail time, and the Federal Appeals court upheld the password sharing as a Computer Fraud and Abuse Act violation.
16. Re:Nope. This involves active sharing and consent. by mysidia · 2016-07-26 07:09 · Score: 1
  
  You might even be considered an "unauthorized user" from twitter's perspective but by giving you their password, the end-user has made you the defacto authorized
  This is like handing the keys to your rental car to a stranger on the street and telling them to "have at it". Chances are the rental agreement doesn't allow this, and if they're pulled over driving when you're not there, they can be jailed. Unless you're a high-ranking employee or agent of Twitter, then nothing grants you the right to authorize someone for access to Twitters' systems.
  Twitter's servers are not your property, nor is the Account you created on Twitter's systems.
  That which is not specifically authorized is unauthorized. A user can be made authorized ONLY with Twitter's consent; usually this occurs when signing up for an account. If the password sharing was specifically admonished against by Twitter, you can imply that to be the Opposite of consent.
17. Re:Nope. This involves active sharing and consent. by mysidia · 2016-07-26 07:13 · Score: 1
  
  The users who were tricked to sharing a password aren't necessarily the ones who broke the law, per se, although (I suppose) that argument could be made too, since they "Dealt in means of access" with intent.
  However, the Pop Star faces more serious trouble for phishing passwords out of followers and accessing their accounts.
18. Re:Nope. This involves active sharing and consent. by vux984 · 2016-07-26 07:42 · Score: 2
  
  This is not stupid at all.
  
  Yes, yes it IS stupid.
  
  It mirrors the obvious principle that everyone here knows, which is that authorization to use a system does not necessarily confer authorization to authorize additional users.
  But does that principle automatically apply here? Does a normal person *consider* their Twitter account their own property or the property of twiiter. (Not the legalese... but in terms of how they think about and interact with it.)
  
  Moreover, it's a principle of our daily lives that's so obvious we don't even mention it. I let my neighbor Bob use my pool whenever he wants, but I would be shocked if Jill was using it and just said "Oh yeah, Bob said I could".
  Exactly right. Its clearly your property, and your delegate has clearly exceeded his authority according to all social conventions. That would be quite the faux pas, and you'd be rightfully upset.
  
  There is no reason that the principle of non-delegation (that is to say, without explicit authority granted to delegate) shouldn't apply to the virtual world just as much as it applies everywhere else.
  It doesn't automatically apply everywhere else. It applies when the property being delegated is recognized as belonging to someone else. It doesn't apply when the property being delegated is recognized as belonging to me. The legalese underneath the transaction may cement that status, but socially what matters is how we perceive the property.
  Bob's using YOUR pool. That is the social convention (and the legal reality) of the situation.
  If I give you social media account password. Am I giving you access to MY account? Or am I giving you access to a (for example) twitter account that twitter lets me use?
  Legally its probably the latter, but that's not how ANYBODY thinks about it. They think of it as THEIR OWN twitter account.
  They'll say it's 'my account'; they'll complain 'my account was hacked'... everything surrounding it is framed in that sense of ownership.
  The same way they think about their TV service, their cellular phone service, their steam account... that the account "belongs" to them, and they don't give a 2nd thought to whether their friends or guests or babysitters or whatever can watch their TV, or borrow their phone to make a call, or play some video games on my account.
  Or even their bank account. People think of that as their property too. It gives them access to their money. Its not the banks money!! It's mine. The password is also mine. I chose it, and the bank shouldn't even know what it is. etc etc.
  Yes legally, and when you get deep into it... the money is mine, but the servers are theirs. And the account is permission from them to use their servers using my chosen credential to access the money I entrusted them to hold for me... etc etc.
  But if it ever came down to it, and I wanted to give someone my bank account password for some reason, my only thought would be in terms of the risk that represents to the security of MY money. I wouldn't give a 2nd thought to whether or not I had the right to delegate access to the banks servers.
  Likewise with twitter... my only consideration in giving out my password would be the risk it represented to my 'reputation', the potential for greif to me from what they might say with it... etc.
  The notion that I would be delegating access to twitter's server infrastructure in a way analogous to Bob letting Jill use your pool...? That would NOT be a consideration at all. No normal person thinks of their twitter account in that sense. (even if technically and legally that's what it is.)
19. Re:Nope. This involves active sharing and consent. by Threni · 2016-07-26 08:33 · Score: 1
  
  No need. If you give someone your password you're letting them do what they want with your account. If you didn't want that, you shouldn't have given them your password. There's no point labouring the point with a contract. And i've no idea where you got the idea that the spirit of the law is important; that's what laws are for.
20. Re:Nope. This involves active sharing and consent. by kheldan · 2016-07-26 08:54 · Score: 1
  
  And i've no idea where you got the idea that the spirit of the law is important; that's what laws are for.
  Are you trolling? You must be, or you're hopelessly pedantic and literal. If all there was, was just the strict interpretation of the law, then the entire country would be one huge prison. Judges and juries exist in part to interpret the law and make appropriate judgements, not just mechanically apply potentially flawed, certainly imprecise text authored by potentially flawed, certainly imprecise biological brains.
  
  --
  Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
21. Re:Nope. This involves active sharing and consent. by BarbaraHudson · 2016-07-26 11:14 · Score: 1
  
  Who cares who's server the account is hosted on? Seriously - the user is authorized to use that account by Twitter. The user gives authorization to someone else for their account. End of story. Twitter should just f*ck off and die, along with all the idiots who take it so seriously.
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
22. Re:Nope. This involves active sharing and consent. by vux984 · 2016-07-26 12:00 · Score: 1
  
  Using a public service like twitter isn't in the same ball park as having a private account at a company where you most likely did sign an agreement that said something like 'you will not share company secrets' your company password would be classified as a company secret.
  You are right, but that's kind of the point here -- while you and might see them as very different thing (and indeed most people do) ... the CFAA doesn't differentiate.
23. Re:Nope. This involves active sharing and consent. by Lumpy · 2016-07-26 22:27 · Score: 1
  
  Which is very telling as to the general IQ level of the american populace.
  Our public education system is breeding generations of morons.
  
  --
  Do not look at laser with remaining good eye.
24. Re:Nope. This involves active sharing and consent. by Wrath0fb0b · 2016-07-27 03:00 · Score: 1
  
  But does that principle automatically apply here? Does a normal person *consider* their Twitter account their own property or the property of twiiter.
  No one is talking about ownership of the account, if that's even a well-formed concept. It doesn't matter either way, because what we are talking about is Twitter's actual physical servers.
  Twitter has authorized everyone to connect to their servers to do certain operations (like read all tweets)
  Twitter has authorized person A to use their physical servers to do other operations (like write a tweet or a DM). To enforce this authorization, Twitter and A agree an authentication token (password, whatever).
  Twitter has not authorized person A to authorize new users to those protected operations on those servers.
  
  They'll say it's 'my account'; they'll complain 'my account was hacked'... everything surrounding it is framed in that sense of ownership.
  Indeed. And perhaps we can say that you have some ownership interest in the data present in the account and it's social status. But that ownership interest obviously doesn't extend to any sort of ownership in the server that hosts it.
  By comparison, I might own all the items in my safe deposit box at the bank. But clearly I don't own the bank, or even the bank lobby. And yet I cannot access my owned items except by using the bank's property.
  
  The notion that I would be delegating access to twitter's server infrastructure in a way analogous to Bob letting Jill use your pool...? That would NOT be a consideration at all. No normal person thinks of their twitter account in that sense. (even if technically and legally that's what it is.)
  Well, OK. Then legally a legal court of law will come to a different legal conclusion than a person with no technical or legal expertise might come to. Also, civil engineer might build a bridge differently than a normal person would. News at 11!
25. Re:Nope. This involves active sharing and consent. by vux984 · 2016-07-27 08:06 · Score: 1
  
  By comparison, I might own all the items in my safe deposit box at the bank. But clearly I don't own the bank, or even the bank lobby. And yet I cannot access my owned items except by using the bank's property.
  Not a bad example. And likewise, if I wanted to send someone to the bank to retrieve or add to the contents of the safety deposit box, that would be my prerogative.
  
  Well, OK. Then legally a legal court of law will come to a different legal conclusion than a person with no technical or legal expertise might come to.
  Where the law varies significantly from people's expectations is where conflict arises, and the law is usually wrong or ultimately unenforceable, because society en masse simply ignores the law.
  The law ultimately is supposed to reflect and enforce the social contract, not the other way around.
  
  Also, civil engineer might build a bridge differently than a normal person would. News at 11!
  Of course. But if the normal people couldn't cross the bridge, and kept hurting themselves on it, falling off of it, etc, etc ... because it didn't conform to their expectations of how to use a bridge, then the civil engineer failed.
  The CFAA is a such a failure.
26. Re:Nope. This involves active sharing and consent. by david_thornley · 2016-07-28 06:47 · Score: 1
  
  There was a recent court decision, discussed here, which emphasized that access without following the TOS is not unauthorized access as far as the CFAA goes.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
27. Re:Nope. This involves active sharing and consent. by Wrath0fb0b · 2016-07-28 16:27 · Score: 1
  
  Not a bad example. And likewise, if I wanted to send someone to the bank to retrieve or add to the contents of the safety deposit box, that would be my prerogative.
  I agree and I don't agree. You have the power delegate authority to add or remove items from the box. That is surely your prerogative. So if you fall ill or move to another country, surely you can delegate your rights over the box itself to Bob.
  The part where I don't agree is the idea that your authorization to Bob in any way impacts whether he is allows to use the bank lobby to access the box. Under no feasible reading of the safe-deposit-box-owner-protocol did you ever possess any authority over the bank lobby. As a consequence of not possessing those rights, you cannot delegate them to anyone.
  For instance, if Bob was previously a nuisance at the bank lobby (say, he leafleted customers with Hare Krishna materials) and they served him official trespass notice, then he cannot set foot in the bank again. You can delegate to him rights over the box all you want, he still can't use the lobby.
  
  Where the law varies significantly from people's expectations is where conflict arises, and the law is usually wrong or ultimately unenforceable, because society en masse simply ignores the law.
  Really? I'm wondering how this could be true. Most people expect cantilever bridges to be stronger than suspension bridges because they intuitively (and incorrectly) believe that materials are stronger under shear than under tension. But surely material science is not something that society has the right to "simply ignore" because it violates their expectations.
  If we let social expectations dictate bridge design (or medical practice, or ....), people would die. Instead, we have democratically accountable leaders that delegate technical decision making to people with subject domain expertise.
Why stop there? by freeze128 · 2016-07-26 04:12 · Score: 2

Give Jack your credit card number and ATM PIN to get a customized message from your bank about how you don't have any money anymore.
1. Re:Why stop there? by Coisiche · 2016-07-26 04:26 · Score: 1
  
  The fans of this Jack (whom I've never heard of) probably won't have much worth stealing. What you want to do is persuade them to get account numbers and PINs of their parents. They'd probably do it for something trivial in return, like a signed photo or, as stated, a personalized message in social media.
  And why was the password required anyway? If you have less than 50 followers on Twitter, which I assume would be the case for most people, then any mention of your @accountname stands out. Although there is a risk of missing something if you assume, like I do, that any mention is spam because they usually are.
2. Re:Why stop there? by omnichad · 2016-07-26 04:39 · Score: 2
  
  And why was the password required anyway?
  It really wasn't, since they could have granted posting privileges via OAuth without giving away the password. Don't pop stars have marketing teams to help them with technical details of this sort of thing?
3. Re:Why stop there? by thegarbz · 2016-07-26 06:39 · Score: 1
  
  Give Jack your credit card number and ATM PIN to get a customized message from your bank about how you don't have any money anymore.
  Because there's an order of magnitude difference in affect on a person. That's why you would stop there. Jack can have my Twitter login, because I don't give a shit. The same can't be said about my bank account.
Re:Clinton VP vetting was doing same by __aaclcg7560 · 2016-07-26 04:22 · Score: 3, Insightful

Vice President of the United States isn't your garden variety job. If this was an ordinary job that demanded my social media passwords, I would say, "Oh, hell no!"
On a related note, I'm still waiting for Donald Trump to release his tax returns.
Re:Um, what? It isn't that scary of a law by 93+Escort+Wagon · 2016-07-26 04:22 · Score: 4, Insightful

No, we're being trolled by a law school professor who's trying to get some media exposure - and she's being aided and abetted by some person trying to get a paid at Ars Technica.

--
#DeleteChrome
If you think Twitter is bad... by __aaclcg7560 · 2016-07-26 04:29 · Score: 2

I've worked at many Fortune 500 companies in Silicon Valley. Each one has the same policy that users aren't supposed to share or write down their passwords. As an IT support technician, I had to prevent people from telling me their passwords. It never fails that find someone's password written on a Post-It note on their monitor or underneath their keyboard. Whenever a user compromises their password, I set their AD account to change password on next login. They always get mad at me when they have to change their password.
1. Re:If you think Twitter is bad... by Frosty+Piss · 2016-07-26 04:57 · Score: 3, Insightful
  
  As an IT support technician, I had to prevent people from telling me their passwords. It never fails that find someone's password written on a Post-It note on their monitor or underneath their keyboard. Whenever a user compromises their password, I set their AD account to change password on next login
  So, when you are talking to a non-IT / non-IT savvy network user who has to "remember" 20 (and that's not a high number for some folks) different UID/PAS combos, what exactly is your suggestion beyond writing it down and securing the written source?
  This is an honest question that should not be poo-pooed by the "leet IT Dudes" as the fallout of moron netwrok users...
  
  --
  If you want news from today, you have to come back tomorrow.
2. Re:If you think Twitter is bad... by __aaclcg7560 · 2016-07-26 05:00 · Score: 1
  
  What about when you forget to finish wiping your chin whenever you walk out of HR? Do they get mad then?
  Your question makes no sense whatsoever. I haven't stepped inside an HR department in 20+ years, as most Fortune 500 companies have outsourced HR to outside agencies.
3. Re:If you think Twitter is bad... by __aaclcg7560 · 2016-07-26 05:18 · Score: 1
  
  So, when you are talking to a non-IT / non-IT savvy network user who has to "remember" 20 (and that's not a high number for some folks) different UID/PAS combos, what exactly is your suggestion beyond writing it down and securing the written source?
  That's an extremely high number of combos. Most jobs that I had only required a single password. My current job has two-factor authentication: Windows login is a PIV card with a PIN, and administrator account has a security login with a complex passwords.
4. Re:If you think Twitter is bad... by PPH · 2016-07-26 05:25 · Score: 1
  
  Most jobs
  People have passwords for things other than their job. Hopefully, they don't use the same one for their DoD job and Slashdot.
  I have 110 uid/passwords for various accounts (everything from banking to Netflix) stored safely (encrypted, pass-phrase protected) on a portable device.
  
  --
  Have gnu, will travel.
5. Re:If you think Twitter is bad... by Frosty+Piss · 2016-07-26 05:26 · Score: 1
  
  Most jobs that I had only required a single password.
  You are the exception. Many jobs require indevidual logins to many systems. I've had as many as 25, though right now it's 10. Yes, I write them down.
  
  --
  If you want news from today, you have to come back tomorrow.
6. Re:If you think Twitter is bad... by __aaclcg7560 · 2016-07-26 05:28 · Score: 1
  
  People who work at companies follow company policy - or their job is in danger.
  I never heard of anyone getting fired for abusing the password policy.
7. Re:If you think Twitter is bad... by Frosty+Piss · 2016-07-26 05:36 · Score: 1
  
  Hopefully, they don't use the same one for their DoD job and Slashdot.
  My DoD CAC pin is 123456. My Slashdot pass is a little more secure.
  
  --
  If you want news from today, you have to come back tomorrow.
8. Re:If you think Twitter is bad... by Cro+Magnon · 2016-07-26 05:42 · Score: 1
  
  I think I had one password back in 1986. Since then, I've kept getting more. They've gone down recently, with a lot of stuff accessible via Lincpass, but I've still got a whole slew of work pws for various systems. Not to mention several slews of non-work pws.
  
  --
  Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
9. Re:If you think Twitter is bad... by __aaclcg7560 · 2016-07-26 06:13 · Score: 1
  
  Small business doesn't get someone to do each job, those are all on my list :(
  How does this relate to my comment about Fortune 500 companies where the average worker typically has a single login credential?
10. Re:If you think Twitter is bad... by gosand · 2016-07-26 06:50 · Score: 1
  
  Well, all this IT tech has done is forced the user to come up with a new password and WRITE IT DOWN ON ANOTHER POST-IT. He may think he is being clever, but what he has done is ensure that they will just do it again because it's a new password.
  What he should do is come up with a method by which they can create a secure password and write down the hint to remember it, and distribute that process to everyone. In other words, TEACH them how to do good passwords.
  1. Think of a very memorable event in your life.
  2. Come up with a password based on that event.
  3. Make it follow convention. (e.g. capitals, letters, length, etc)
  4. Make it able to be changed easily without changing the event.
  Example: My dog Daisy died in 1998
  password: DaisyRIPxx98
  Now when you have to change it in the future, you could "increment" the xx to yy, then zz, etc.
  Or you could increment the 98 to 99, 100, etc. Or better yet both.
  So next password is DaisyRIPyy99, then DaisyRIPzz00, then DaisyRIPaa01, ......
  The user can write down a hint "puppy c3" in plain sight, and without knowing the scheme, nobody would ever be able to guess it. (in this case, DaisyRIPcc03)
  
  --
  
  My beliefs do not require that you agree with them.
11. Re:If you think Twitter is bad... by Frosty+Piss · 2016-07-26 07:20 · Score: 1
  
  1. Think of a very memorable event in your life.
  2. Come up with a password based on that event.
  3. Make it follow convention. (e.g. capitals, letters, length, etc)
  4. Make it able to be changed easily without changing the event.
  Example: My dog Daisy died in 1998
  password: DaisyRIPxx98
  Nice.
  Remember that through 20 permutations associated with 20 random user accounts.
  Like I said, I write them down and secure them. No "hacker" is going to break into my office and pry open my desk. And if they do? They can have 'em, not that important, they would find out how to hack in anyway.
  
  --
  If you want news from today, you have to come back tomorrow.
12. Re:If you think Twitter is bad... by idji · 2016-07-26 08:38 · Score: 1
  
  Use a password vault like keepass, or let your browser handle it like firefox or chrome, or icloud or your iphone.
13. Re:If you think Twitter is bad... by __aaclcg7560 · 2016-07-26 10:06 · Score: 1
  
  Please explain. As I pointed out in my previous comment, I haven't stepped inside an HR office in 20+ years. I don't understand why I would have to wipe off my chin from stepping out of the HR office.
14. Re:If you think Twitter is bad... by gosand · 2016-07-27 05:26 · Score: 1
  
  True, to some degree... I only use this type of naming scheme where I am required to change my password - which is pretty much everywhere except on things that I control. Sometimes you have to deal with reality, and that means having to change your password. Is DaisyRIPyy99 harder to crack than DaisyRIPzz00? Not at all, but it is a method to help the user remember it.
  
  --
  
  My beliefs do not require that you agree with them.
15. Re:If you think Twitter is bad... by gosand · 2016-07-27 05:32 · Score: 1
  
  I am not an admin, I only need to remember my passwords. Personally, I have a less-secure "story" and a more-secure "story". So I basically have 2 variations on the story behind my passwords. That doesn't mean I have only 2 passwords of course. So even if someone cracked one of my passwords they would be able to guess my others. And I have been using the secure scheme since 1996. The password looks totally random, but I know the story behind it, and remember the variations I made. So I can write down a single letter (or number) and know what the password is.
  I think my point is that people need to THINK about their passwords, and make it unguessable yet something they can write down reminders for without compromising the guessability. Now making it 'uncrackable' is a different story completely.
  
  --
  
  My beliefs do not require that you agree with them.
b. b. b. b but, It's illegal... by bugs2squash · 2016-07-26 04:31 · Score: 1

if this is the most illegal thing young people are doing today then it seems like a good deal to me. Let the law professor talk it up as a high crime and let the kids revel in their their forbidden fun.

--
Nullius in verba
Re:Clinton VP vetting was doing same by __aaclcg7560 · 2016-07-26 04:35 · Score: 1, Offtopic

And I'm still waiting for Hillary to reveal who's all donated to the "Clinton Foundation", her secondary bank account she pretends is a charity.
Under the law, the Clinton Foundation is a charity.
https://www.501c3.org/what-is-a-501c3/
Dumb on two counts by wardrich86 · 2016-07-26 04:41 · Score: 2

1. If he asks for your password, and you provide it... there's really no unlawful action there. He didn't force you to give it to him, and you had all the power and right in the world to not be an idiot and toss it out there. I wonder how long before somebody hacks Jack's email and scoops up all those yummy accounts.

2. You fucking gave the guy your password. That's not hacking. He needs to change his hashtag to #PostedByJohnson or #ThisUserWasDumbEnoughToGiveMeTheirPassword
1. Re:Dumb on two counts by Registered+Coward+v2 · 2016-07-26 06:10 · Score: 1
  
  1. If he asks for your password, and you provide it... there's really no unlawful action there. He didn't force you to give it to him, and you had all the power and right in the world to not be an idiot and toss it out there. I wonder how long before somebody hacks Jack's email and scoops up all those yummy accounts. 2. You fucking gave the guy your password. That's not hacking. He needs to change his hashtag to #PostedByJohnson or #ThisUserWasDumbEnoughToGiveMeTheirPassword
  While I agree with your common sense approach, the law may see things differently. If Twitter decided it was an unauthorized use, as they define unauthorized based on their TOS, someone could be charged. It would be a stupid waste of time and one would hope a judge, after he or she stopped laughing, tossed the case. It does illustrate how something that would be considered normal in the physical world, i.e. I give you the key to my diary to let you write in it, could be illegal in cloud space where you don't own the diary and thus someone else controls how you may use it and who may use it.
  
  --
  I'm a consultant - I convert gibberish into cash-flow.
2. Re:Dumb on two counts by wardrich86 · 2016-07-26 07:21 · Score: 1
  
  Likewise, if you ask me if you can punch me in the face, and I say yes, I can't press charges.
JackHack by fahrbot-bot · 2016-07-26 04:51 · Score: 1

Why he didn't go for the shorter and catchier #JackHack, we'll never know.
Saving that for when headphone jacks disappear from smartphones.

--
It must have been something you assimilated. . . .
HACKED BY 'JOHNSON' by Jeremiah+Cornelius · 2016-07-26 04:52 · Score: 1

"That's what SHE said!"

--
"Flyin' in just a sweet place,
Never been known to fail..."
Jack Johnson by doconnor · 2016-07-26 05:01 · Score: 2

I don't know any of those Jack Johnsons. The only one I know is the Futurama Presidential candidate Jack Johnson who ran against his rival and clone, John Jackson.
1. Re:Jack Johnson by magarity · 2016-07-26 05:13 · Score: 1
  
  The only Jack Johnson I know of is the boxer in The Legend of the Titanic.
Re:Legal or not, stupid for sure by Austerity+Empowers · 2016-07-26 05:02 · Score: 1

Possibly absolute lack of concern over their twitter accounts which are utterly worthless, disposable beasts.
Re:I doubt it's illegal. by PPH · 2016-07-26 05:18 · Score: 1

I create a Twitter account expressly for this purpose. I send Mr Johnson my password. I now have deniability for anything else done using this account (as long as I obfuscate other identifying details such as my IP).

--
Have gnu, will travel.
Re:Clinton VP vetting was doing same by PPH · 2016-07-26 05:31 · Score: 2

Family members? I wonder how that would go over with adult children.
"Son. I need to turn over your passwords in order to apply as Clinton's VP."
"Fuck you, dad. By the way, I'm voting for Trump."

--
Have gnu, will travel.
#JackHack by jon3k · 2016-07-26 05:46 · Score: 1

Because a "JackHack" sounds like a masturbation shortcut.
Re:Clinton VP vetting was doing same by schwit1 · 2016-07-26 05:49 · Score: 1

The OP is about the legality of sharing credentials. The legality should not change based upon a perceived justification.
Why does it have passwords at all? by gurps_npc · 2016-07-26 06:01 · Score: 1

Seriously - why do things like Twitter need a password? It's not an email account, it's not that hard to hack and no body is going to lose anything important if someone else takes their twitter account.

--
excitingthingstodo.blogspot.com
a Hacked what? by Anonymous Coward · 2016-07-26 06:23 · Score: 1

Yeah Hackedbyjohnson sounds bad but
A hacked Johnson would be way worse.
I'll let myself out.
Re:Um, what? It isn't that scary of a law by thegarbz · 2016-07-26 06:37 · Score: 1

Is a troll really a troll when they point out laws that are frequently used to abuse common sense?
Presidential response by theendlessnow · 2016-07-26 07:07 · Score: 1

Donald says email your passwords to him. Hillary says, no email, no way. Please never email anything to her... EVER.
Re:Hypothesis for the love of hypothesising? by dcollins117 · 2016-07-26 07:09 · Score: 1

Smart people would change their passwords for the duration and give him these passwords, then change back once the message is in.
Smart people would ignore the whole matter and find another means to entertain themselves.
Hacking by Anonymous Coward · 2016-07-26 08:04 · Score: 1

If TPTB say it's illegal, then it doesn't if there's a law or not, at least that's the impression I've gotten over the last decade or two.
Don't some websites work this way? by safetyinnumbers · 2016-07-26 08:38 · Score: 1

Some website services require you to provide your password to some other site to work. For example, email filtering or some finance sites.

I know that when done correctly the site provides an authentication token, but the old-style approach was to just require you to provide your mail or bank's password.
Re: Nope. This involves active sharing and consent by Khyber · 2016-07-26 09:00 · Score: 1

That means they're not educated enough regarding the modern world, and are entirely unfit for office in a modern world.

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Password changes by phorm · 2016-07-26 10:08 · Score: 1

People in my company - including the non-geeks - seem to manage OK without writing them down on a postie. This is with a policy requiring passwords be changed every few months and have a certain complexity.
Sometimes you forget and need to get the password reset, but in general most people seem to be smarter than you credit them for.
If you have trouble remembering, go for something based on a phrase or a common variation for different services.