How does my company know I used duplicate passwords?
May 19, 2015 1:53 PM Subscribe
I started a new job last week, which involved registering for a bunch of different tools and services (email, internal tools, ticket tracking system, project management stuff, etc.). Since I needed access to those before I got a chance to set up a password manager, I used a couple duplicate passwords so I could remember them (they were strong passwords, but they fit a pattern that I can remember). Shortly after I signed into a site with one of the passwords I was also using on another site, I got an email from IT saying they'd noticed I'd used duplicate passwords and to change them ASAP. How did they know?
Possibly relevant details: I have a work-issued laptop. I got the notice while I was using it on the company network. One of the sites I used my offending login on was an internally-hosted one, but I'm pretty sure the other is external. There doesn't appear to be anything resembling a keylogger installed on the laptop, but I don't recognize everything (especially since it's a relatively unfamiliar OS for me). Company culture overall is pretty permissive, so I wouldn't expect constant monitoring & tracking, but they're also (quite understandably) very serious about the security of our own data as well as our clients'.
Possibly relevant details: I have a work-issued laptop. I got the notice while I was using it on the company network. One of the sites I used my offending login on was an internally-hosted one, but I'm pretty sure the other is external. There doesn't appear to be anything resembling a keylogger installed on the laptop, but I don't recognize everything (especially since it's a relatively unfamiliar OS for me). Company culture overall is pretty permissive, so I wouldn't expect constant monitoring & tracking, but they're also (quite understandably) very serious about the security of our own data as well as our clients'.
They might also be logging hashes of what you type (to protect your privacy). So an example would be every time you type something, they record where you typed it and a hash of the last 8 characters. So when they see matching hashes in the password field of different websites, they can tell that you used duplicate passwords. Also, this way IT wouldn't know what passwords you actually used (and cannot impersonate your credentials).
Or they just use a keylogger.
posted by ethidda at 1:57 PM on May 19, 2015 [1 favorite]
Or they just use a keylogger.
posted by ethidda at 1:57 PM on May 19, 2015 [1 favorite]
Why not ask them? It's clearly no secret that they're aware of your passwords.
posted by pipeski at 1:59 PM on May 19, 2015 [2 favorites]
posted by pipeski at 1:59 PM on May 19, 2015 [2 favorites]
Is it possible that the externally hosted site is using a CAS (Central Authentication Service) hosted by your own IT department (for example, my institution does this for gmail)? It is possible that the your IT department administers authentication servers for all of these services and simply checks the hashes against each other periodically.
posted by NormieP at 2:14 PM on May 19, 2015
posted by NormieP at 2:14 PM on May 19, 2015
It's possible that they compared the password hashes of two internally hosted sites to determine that you used the same password on both.
It's also possible that they have some sort of the administrator access to an externally hosted service, and they have passwords or hashes available there.
If the external site is SSL-enabled, and they don't have administrator rights to it, then they're doing something funky, like a man-in-the-middle attack with your SSL connection or keylogging on your computer.
Until you know more, don't do ANY personal, Internet transactions on your work computer or on your work network. I'd throw a enormous fit if my online banking password, SSN, etc. were getting logged into a database at work.
posted by cnc at 2:19 PM on May 19, 2015
It's also possible that they have some sort of the administrator access to an externally hosted service, and they have passwords or hashes available there.
If the external site is SSL-enabled, and they don't have administrator rights to it, then they're doing something funky, like a man-in-the-middle attack with your SSL connection or keylogging on your computer.
Until you know more, don't do ANY personal, Internet transactions on your work computer or on your work network. I'd throw a enormous fit if my online banking password, SSN, etc. were getting logged into a database at work.
posted by cnc at 2:19 PM on May 19, 2015
> Is it possible that the externally hosted site is using a CAS (Central Authentication Service) hosted by your own IT department (for example, my institution does this for gmail)?
I thought about this, but it would seem to me that the entire advantage of central authentication is that you don't have separate passwords for separate sites.
posted by cnc at 2:20 PM on May 19, 2015 [1 favorite]
I thought about this, but it would seem to me that the entire advantage of central authentication is that you don't have separate passwords for separate sites.
posted by cnc at 2:20 PM on May 19, 2015 [1 favorite]
NormieP, if there was CAS or some other single sign on, there'd be no need to create passwords for both things. That's the point of having a single sign on system.
posted by advicepig at 2:21 PM on May 19, 2015
posted by advicepig at 2:21 PM on May 19, 2015
amaire has accurately described the practices of at least one Major Tech Firm I'm familiar with, except it's a browser extension instead of a systemwide key logger.
posted by telegraph at 2:26 PM on May 19, 2015
posted by telegraph at 2:26 PM on May 19, 2015
Until you know more, don't do ANY personal, Internet transactions on your work computer or on your work network.
This is good advice regardless of what logging you suspect your company of doing.
posted by Apoch at 2:52 PM on May 19, 2015 [5 favorites]
This is good advice regardless of what logging you suspect your company of doing.
posted by Apoch at 2:52 PM on May 19, 2015 [5 favorites]
: " There doesn't appear to be anything resembling a keylogger installed on the laptop, but I don't recognize everything"
With competent IT you couldn't tell and there would be nothing to recognize. There are numerous ways to do this in software that are undetectable or with a little effort in hardware though with the symptoms that is less likely.
posted by Mitheral at 4:27 PM on May 19, 2015
With competent IT you couldn't tell and there would be nothing to recognize. There are numerous ways to do this in software that are undetectable or with a little effort in hardware though with the symptoms that is less likely.
posted by Mitheral at 4:27 PM on May 19, 2015
It's possible that they compared the password hashes of two internally hosted sites to determine that you used the same password on both.
Though a keylogger is not impossible, this seems to be the most likely explanation to me.
There would be a lot of logic going into getting a keylogger to report duplicate passwords in different systems, but it's 10 line script to compare hashes against different databases. Occam's razor. A security minded company might use a keylogger to detect if you're revealing your password to other people; e.g. via email or IM, but it seems like overkill to use one to identify this scenario.
NormieP, if there was CAS or some other single sign on, there'd be no need to create passwords for both things.
Sure, there's no need, but there are many, many potential reasons that some systems don't get integrated into a single sign on system that don't have to do with technical possibility.
posted by zixyer at 4:44 PM on May 19, 2015 [1 favorite]
Though a keylogger is not impossible, this seems to be the most likely explanation to me.
There would be a lot of logic going into getting a keylogger to report duplicate passwords in different systems, but it's 10 line script to compare hashes against different databases. Occam's razor. A security minded company might use a keylogger to detect if you're revealing your password to other people; e.g. via email or IM, but it seems like overkill to use one to identify this scenario.
NormieP, if there was CAS or some other single sign on, there'd be no need to create passwords for both things.
Sure, there's no need, but there are many, many potential reasons that some systems don't get integrated into a single sign on system that don't have to do with technical possibility.
posted by zixyer at 4:44 PM on May 19, 2015 [1 favorite]
A lot of people are suggesting that it is possible that your IT department compared the hashed version of your password, but I'm not so sure. Can you clarify whether or not all of the tools were developed in house or not? From your description it sounded like there was a mix of in house and 3rd party systems. If my interpretation is correct, I find it unlikely all of the systems secure passwords in exactly the same way.
An additional point that may or may not be of help. Gone are the days where using a sha1 or md5 is considered secure. If any of the systems are new or security is taken seriously I would not expect the same plain text value to produce the same hash two times in a row - because the passwords are salted individually and an algorithm that requires many iterations has been used.
posted by phil at 5:16 PM on May 19, 2015 [1 favorite]
An additional point that may or may not be of help. Gone are the days where using a sha1 or md5 is considered secure. If any of the systems are new or security is taken seriously I would not expect the same plain text value to produce the same hash two times in a row - because the passwords are salted individually and an algorithm that requires many iterations has been used.
posted by phil at 5:16 PM on May 19, 2015 [1 favorite]
Checking / logging your password doesn't even require a talented or skilled IT department - it's a feature integrated into several anti-malware suites and could be enabled with a few clicks, and possibly outsourced to a third party. The bar to adding all this stuff is getting lower all the time, regardless of whether it is useful or not - but paranoia sells.
posted by meowzilla at 7:57 PM on May 19, 2015
posted by meowzilla at 7:57 PM on May 19, 2015
You mention a password manager. Did you create the accounts, then start using a password manager, and then receive the email? Several group password managers (including LastPass, which my team uses) can show an admin that you are using duplicate passwords.
posted by third word on a random page at 5:23 AM on May 20, 2015 [1 favorite]
posted by third word on a random page at 5:23 AM on May 20, 2015 [1 favorite]
The least complex possibility is that the passwords to some of those systems are stored in plain text.
posted by mr_silver at 2:56 PM on May 20, 2015 [1 favorite]
posted by mr_silver at 2:56 PM on May 20, 2015 [1 favorite]
« Older Document translation Services for the Green Card... | What's a nature-y hotel that's a short flight from... Newer »
This thread is closed to new comments.
posted by amaire at 1:54 PM on May 19, 2015 [3 favorites]