Accidental Password Leaks

Password leaks can happen to anyone, and you should prepare for when it happens to you.

What happened?

On Monday morning, while I was having a conversation with a colleague over Teams, I linked him to a website to review some of my work. Shortly after, he sent me a very unusual message: CorrectHorseBatteryStaple^[1]. It was immediately obvious that this was a password, oh no! As soon as I looked at it the message disappeared, but it was too late; I had already seen it.

I wrote back to tell him that I had already seen it despite his deletion, and that he needed to rotate it now. Thankfully he had already realised this, and was in the middle of logging in to change it. Since he had followed good advice and didn't use the same password in multiple places, he only had to update it on the website in question, and then he was done. Within 10 minutes he replied to confirm that the password I had seen was no longer in use.

Why did it happen?

When you click on a message in Teams with Edge as your browser, it opens the link as expected, plus it creates a little side panel with the Teams conversation in it. This is useful when you need to respond quickly while navigating elsewhere.

In this situation, the browser had kept focus on the newly opened side panel rather than on the main page where my wanted colleague to log in, so that when he copy-pasted the password from his password manager the browser dumped it into the chat window instead. Muscle memory took over and he hit return automatically, sending me the password.

What can we learn?

Accidental leaks happen: Password leaks can be accidental, it's not just the work of criminals. My colleague couldn't have made it more secure in this situation.
Security is a shared responsibility: Once a leak has happened, it affects everyone. I could have ignored the password I had been sent once he had deleted it, but security is a collective responsibility.
Use unique passwords: By using unique passwords for each site, rotation is quick and painless. If my colleague had reused a main password, and had leaked that to me, he would have spent days rotating all of his passwords everywhere. By following best practices, he had very little work to do.
New features bring new risks: The side-chat in browser feature with Teams is quite new, and we didn't expect that it would keep focus^[2] when opening a new window. This clash of expectations and muscle memory is what caused the leak in the first place. Be aware when you're using new features that might interact with security!