by

Cybersecurity

29/06/2023

More than twelve years ago, on April 27, 2011, I was in Rome to attend a meeting for a European project. I bought a bus ticket from the airport to the city center for four euros. In order to do so, I had to create an account at Terravision.eu. Back then, nobody really cared much about digital security. You simply requested an account and would receive an email containing the combination of your user name and password in plain text. I still have the email with that password. It’s “2yp6yq2f”.

A few months ago, I received an email from one of our security officers. They were panicking because apparently, there had been a password leak at Terravision and my email address was among the leaked data. It was the first time I had received such a panicked email from TU/e and I almost didn’t take it seriously. After all, it’s quite common to get emails telling you to quickly log in somewhere to change your password, and you should always ignore those. This particular email recommended that I change my password at Terravision, but it also demanded that I change my TU/e password within a week.

It turned out that there was no real reason to panic because the data breach in question was not that serious at all. Anyone who has ever checked the Have I Been Pwned website knows that data breaches occur on a regular basis and that no passwords were leaked, only salted hashes of passwords. That nuance is explained in the news item (only in Dutch) on the security.nl website, but the TU/e mail omits it altogether. It’s an important detail though, because it’s significantly harder to hack an account when you only have a password’s salted hash than when you know the password itself.

It’s worrisome that TU/e apparently assumes that people reuse their passwords. The 12-year-old Terravision password still worked (it doesn’t anymore), but I requested that the account be deleted anyway. I also changed my TU/e password, which was not really necessary, but the system demanded it. It’s surprising to see in how many places that password is used, in your phone, in your home computer, etc.

I’m writing this column from Lisbon, where I’m attending the annual Petri Nets conference. Uber was the easiest option to get to my hotel from the airport. More than twice as cheap as a cab and five times faster than taking the bus. Once again, I had to create an account, because I hadn’t used Uber before. Let’s just hope that there aren’t any more data breaches on the horizon.

Share this article