This is not a post about books. (My next review is most likely going to be about Darrin Lunde’s “The Naturalist,” which is about Teddy Roosevelt and unrelated to this.) This is a post about password security and The Odyssey.
If you’re not familiar with The Odyssey, here’s a brief description: college students from different campuses all over the country write for their particular campus’s branch. That writing is then published on the main Odyssey website. Numbers suggest that it is one of the most widely-read online site, and that is probably because writers are encouraged to aggressively share their content on social media, including Facebook, Twitter, Tumblr, and Instagram (if they find an attractive way to do so, as since launching the new beta site, the Odyssey does not offer ways to easily share on sites other than Facebook and Twitter). Their CEO Evan Burns espouses the belief of “democratized content,” which in some ways could be laudable, but in other ways results in articles like the one I responded to in this post and criticism found in the much shared, “An Open Letter to The Odyssey Online.” And this one. And this one. There are more, but I’ll stop there.
I wrote for the Odyssey, as noted by the tag I had for the articles I wrote on the website. I was Editor-in-Chief for my campus, as well as being EIC for a print fine arts journal (Bridge 13 out now). The most irritating thing about writing for the Odyssey wasn’t trying to figure out how to garner more shares, or convince my team that we needed to work towards the common goal of meeting minimum article counts or the general management issues that anyone who is in charge of a team of people has to face. It was, almost consistently, the content management system (which will be referred to as the CMS throughout the rest of this post). Frequently, there were issues with the CMS that led to writers not being able to put images into their listicles, or being unable to track shares correctly, or not being able to share on Facebook, and so on. The CMS was buggy throughout my entire time working with the Odyssey, even after various upgrades offered that seemed to do absolutely nothing, and according to my successor, it’s still buggy.
(Now would be an appropriate time to mention that, when the CMS would show the full staff of my team including members from corporate, the “majors” listed for the developers were “ballin out” and “cash money.” I wish I had taken screenshots, but since it also included personal information, it seems better that I hadn’t.)
Frustrated with the new beta site created and designed by, presumably, the same team of developers, Nick Swan–a writer for the team I used to be EIC for–wrote an article criticizing the new layout and the problems present within. Generally speaking, it’s clear to see that at least the beta site is not very well designed. It’s not user friendly or intuitive, and it doesn’t look good. (For more on what a good design is, please see the movie, “Helvetica.”)
I want to preface what I’m about to say by stating that I do not hate the Odyssey. I enjoyed my time with the site. Do I hate some of the articles on it? Yeah, I think a lot of user generated content can have the potential to be garbage, but that’s just a fact about the Internet in general. Some of what the Odyssey does is admirable, even if I think it misses its mark.
The CMS has been and, until it sees significant revision, may always be badly developed. Frequently, there are aspects of it which do not load, regardless of whatever browser you’re using for it. There are toggles on it that do nothing. Most of its functions are not explained to the EICs and Contributing Editors who have to use it. It glitches frequently. But that’s not my main beef. My main beef with the CMS and the guys who developed it is right in the title of this post. There are significant security issues that are presented by the CMS, and even though I’ve tweeted and reached out to the Odyssey repeatedly about it, I have heard nothing saying that anything will change–which is why I am worried, and why I am writing this.
When you sign up for a website, there are typically two things that happen regarding your password. You either create your own password from the get-go, or the website will send you a password. The latter is the case for the CMS. Generally speaking, the websites that send you passwords will send something that is randomized and one-use; that is to say, it may be a strange combination of letters and numbers that resemble the ones in a captcha code, and then after you log in for the first time using those numbers, the website will force you to change your password to something that can be easily remembered.
The Odyssey and the CMS do not do this. There is a very specific pattern for how passwords are generated by the CMS that I will not articulate here for the sake of any writers who have not changed the original passwords they were given, but I’ll explain what that means. I found it out when a writer on my team told me that they did not have an account created by the CMS. More likely, the login information they received had been either deleted or sent to junk. In any case, I thought back to the first password I had for the site, and I thought, well, this probably won’t work because there is no way in hell that a company as large as the Odyssey and with as many creators as the Odyssey and as much funding as the Odyssey would make such an enormous safety loop, but I tried it with her account.
I got into it.
When I suggested using the similar method to another EIC whose writer was complaining of the same thing, she was able to get into the account, too. Weird, but maybe it was a fluke. Twice might be cause for concern, but it’s not major.
Except, here’s the thing. Like I mentioned before, this is not a one-use password. Furthermore, writers are not prompted to change the password by the website, nor do these passwords seem to have an expiration date. They’re not complicated. Some people will change their passwords, which is good for them! It’s safer that way. But for most people, changing a password, especially on a site that is as difficult to figure out as the CMS can be, is not something they automatically think to do. In fact, if it’s an easy password for them to remember, they might never be bothered to change it. Why should they? They don’t know that every other person who has a new account created has a password ending in the last three digits as theirs. They don’t know how easy it is for someone who knows that formula to get into their account.
This brings us to Friday. Like some people, I waste a lot of time online. There were other things I probably could have been doing, but instead I thought to myself, “I wonder if I could get into this person’s account.” Not by hacking or anything. I don’t really know a lot about technology myself, and I wouldn’t be able to “hack into” anything if I tried. I just remembered the formula that comes with an Odyssey account, and I was bored. For the record, I didn’t think it would work. A lot of people do think to change their passwords.
Unfortunately, I was able to easily get into this particular writer’s account. That’s bad.
Let me reiterate it: I, a person with ZERO training in tech, was able to get into a writer’s account because I knew the general arrangement of passwords that the CMS spits out.
Imagine if I were a person with malicious intent. Imagine if it were an EIC’s account that I was able to get into (which, by the way, I was able to get into two, and I’ve reached out to at least one of them because I had a way to do so). On an EIC’s account, you can impersonate writers, and, even worse. you do have the ability to deactivate–or, really, delete, since there’s no way to reactivate an account besides creating a brand new one–accounts.
For a website that relies solely on content created by people who frequently do not change their passwords because they have been given zero reason to do so, this seems like a pretty big security issue. In fact, it seems like a huge problem. In an hour, I think it would be possible to deactivate every single member from at least two teams, and if those teams frequently pull in a large number of shares, that could be devastating. For one thing, it’d be a problem for the website, but for another, it’d be worse for the writers; the Odyssey is a platform that claims to give a voice to a lot of different people, and if that voice were taken away because the developers couldn’t figure out a way to randomly generate passwords for accounts (which I’ve been told by at least two people who do have training in tech and website design is not that hard, especially if you went to school for it), that would be a reason to lose trust in the website that allowed it to happen in the first place.
There’s another security issue that comes with being able to easily get into people’s accounts because the passwords are not randomly generated one-use ones, or not user generated in the first place, and it’s that, again, if I were to look at an EIC’s account, I could see their entire team. From that team page, I can see first and last names, emails, and phone numbers.
This is a bad business practice. It’s bad programming. It’s bad for writers and it’s bad for editors.
If you write for the Odyssey, I implore you to CHANGE YOUR PASSWORD. If you are still using that original one that the CMS gave you, anyone from any time who has figured it out can get into your account.
And to the Odyssey and Evan Burns: I get that you want to have a fun work environment, but hold your IT and programming staff up to the same business standards that everyone else does. Do your job and respond to criticism of your website by making it safer, not just giving it an ugly Halloween-esque facelift that it didn’t need in the first place. If you really have all the money your blog says you do, it shouldn’t cost that much to fix your website and make it safer for the writers that you don’t even pay most of the time. Your website has a major security flaw in the way it generates passwords, and you owe it to the college kids who are making you rich to at least make it a little harder for their accounts to get hacked.