Baseball teams have a long a history of low-tech espionage.  For example, sign stealing, intercepting the catcher’s signal to the pitcher, is considered part of the game.  More recently, the St. Louis Cardinals are accused of breaking into the Houston Astros’ computer network to steal team data.

To protect against sign stealing, teams change up their signs, use fake signs when they suspect sign stealing, and delay the sign to make it harder for the other team to relay stolen signals to the hitter.  Unfortunately, it seems the Astros’ efforts to protect their cyber data were not as elaborate.  The investigators believe that Cardinals employees who were hired away by the Astros re-used their old passwords in their new team’s system.  This allowed someone in the Cardinals office who had access to the old passwords to get into the Astros system.

There are lessons to be learned from this story.  A strong password policy should include mandatory periodic password changes, and limit the re-use of previous passwords (e.g., a new password must be different from the last 10 passwords).