The website for several years issued randomly generated passwords, which were unlikely to be resued The disclosure of 2,000 usernames and passwords by the hacking collective Anonymous against a San Francisco transportation website could have been more damaging, according to a doctoral candidate at the University of Cambridge.Joseph Bonneau, who is working on a thesis on password security, analyzed the disclosed passwords and found that more than 1,300 were randomly generated when users signed up for accounts at myBART, a marketing site for Bay Area Rapid Transit (BART).Between 2001 until 2006, myBART did not allow users to change passwords, which consisted of two digits plus up to eight lower-case characters, Bonneau said in an interview. That was good, since users were unlikely to reuse the randomly generated passwords on other accounts, such as e-mail or social networking services.It’s not uncommon for people to use the same password across a range of websites. Security experts generally advise against it, since if the password is compromised, a variety of data could be obtained by hackers by trying out the password on other sites. In the case of myBART, which was a marketing site, the accounts that were compromised aren’t valuable.“There’s no interest for criminals or even people who want to do vandalism in the myBART account, but if you can try those passwords and e-mail addresses elsewhere, you can get interesting accounts,” Bonneau said. It’s rare for websites to mandate randomly generated passwords. Bonneau and a colleague, Sren Preibusch, conducted a survey in 2010 of password practices across some 150 popular websites. Only one issued a randomly generated passwords.MyBART e-mailed the passwords to users, which may be fine for accounts that aren’t that important or infrequently accessed since users can look the password up if they forget, Bonneau said. But the website stored the passwords unhashed in its database — considered to be an unsound security practice — which eventually led to exposure by Anonymous.Anonymous attacked myBART after the transportation agency on Aug. 11 shut off mobile-phone service to hundreds of thousands of commuters to thwart a planned protest over two fatal shootings by its police force.Just a few days later, Anonymous struck BART again, publicly posting names, home addresses, e-mail addresses and passwords of 102 BART police officers.Send news tips and comments to jeremy_kirk@idg.com Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe