Sure, Security Is Hard, But....

by Marc Hedlund

Related link:

...this is ridiculous. The New York Times recently switched from one paid membership management system to another, and they changed the username and password of every paid account. For some reason, they've posted the system they used to choose new usernames and passwords on the Web for anyone to see. Security is certainly a difficult problem, and password management is even harder than most security problems, but it's much worse when you don't even try. If you have a paid subscription, be sure to read this.

The New York Times' Web site offers some excellent paid features, including online archive searches and crossword puzzle downloads. In the past, they used a horrible service called Qpass to manage their paid accounts. Qpass was hard to use and unreliable, and many members (myself included) complained about it frequently. Apparently the people at the Times agreed, because in March they dropped Qpass and moved to a new account management system. The new system is a big improvement in usability and reliability.

My jaw dropped, however, when I got the email from telling me how to access the new system. It read:

Now enter the following Member ID and password which we have created for you and click the "Log In" button. You will need to use this Member ID and Password to access your premium products in the future.

Member ID: marc_hedlund

Password: Your password is your Qpass User Name.

I quickly wrote them a note pointing out that usernames are easily guessable (my Qpass username was "mhedlund") and often repeated across many sites, and were often not kept as secrets (for instance, message board posts are often tagged by username). Furthermore, I wrote, I thought this message violated their privacy policy, which states:

Data Security: To prevent unauthorized access, maintain data accuracy, and ensure the appropriate use of information, we have put in place appropriate physical, electronic, and managerial procedures to protect the information we collect online.

I certainly wouldn't count sending password-guessing instructions to all of their users as "appropriate [...] managerial procedures." I asked if there had been some mistake, and suggested they revoke all the guessable passwords and send out new, random passwords as a stop-gap. They replied that there was no mistake and that I could always change my password if I found myself concerned about security. (And I did.) Today I noticed that the same instructions I had been emailed are available on the FAQ page, <>.

It's always disappointing when a site is negligent with security. What's a little more surprising about this case is that this is a prominent commercial site -- the New York Times is paid by each of its premium subscribers -- so you'd think (or hope) they would care more about protecting their customer's security. If I can get access to your account, I can buy articles from the New York Times' archive and have them charged to your credit card without you knowing about it (particularly, but not exclusively, if you've enabled one-click checkout on your account). That right there is the core definition of an ecommerce vulnerability, and here's one of the premier media organizations in the world making such an attack trivial.

How hard would it have been for the New York Times to send random passwords to its premium users rather than easily guessable passwords? They were already sending a customized email to each subscriber, and they already had to write a password update system. Alternatively, they could have had each subscriber choose a new password for themselves the next time they logged in. The cost of doing things much more securely instead of insecurely would have been $0.00.

If you are a premium subscriber, you should definitely change you password so that it is something hard to guess. You can change your password at <>. Information about the importance of choosing a good password can be found at <> -- yup, that's right, in an article published by the New York Times.