Tech by VICE

Cardinals Employee Sentenced to Almost 4 Years in Prison for Guessing a Password

Oh, and swiping notes on the Astros’ trade negotiations.

by Lorenzo Franceschi-Bicchierai
Jul 18 2016, 8:47pm

Image: Elsa/Getty Images

Christopher Correa, the former scouting director for Major League Baseball's St. Louis Cardinals, has been sentenced to 46 months in federal prison for guessing the password of a Houston Astros manager.

A federal judge sentenced Correa on Monday, months after he pled guilty to accessing a Houston Astros player database and email system.

Correa was able to break in by deducing the credentials of Astros general manager Jeff Luhnow, who previously worked at the Cardinals. As it turned out, when Luhnow left the team, he returned his team-owned computer, along with his old password. After he left, Luhnow used slight variations of the same passwords at his new job in Houston, which allowed Correa to guess his way into the Astros' system. The password, as it turned out, was a variation of Eckstein123, a reference to former Cardinal infielder David Eckstein.

Don't reuse passwords, especially if they are something like Eckstein123—an awful password.

Despite what some media reports and the FBI would want you to believe, there's very little hacking involved in this case. While using someone else's password to access a system or computer that it's not yours, or to which you have no authorization to access, is clearly a crime under the much-maligned anti-hacking Computer Fraud and Abuse Act, or CFAA, doing it by guessing a password should not be defined as hacking.

Other than the semantics, it's also debatable whether guessing a password—or even sharing a password—to access a database should lead to almost four years in prison. In this case, the sentence was based on the calculation that Correa's unauthorized access to the data cost the Astros $1.7 million. Correa caused this damage by accessing the Astros' "notes on its trade discussions with other teams," as well as their scouting reports.

As usual, the moral here is also don't reuse passwords, especially if they are something like Eckstein123—an awful password, and even more so if you run a professional sports team.