Apparently a few days ago, the Gawker network of sites was hacked and the perpetrators managed to get hold of the password database of contributors. In amongst the stuff they've republished is an anonymised list of over 188,000 entries from the password database.
Given Gawker is usually occupied by tech-savvy people, the Wall Street Journal's analysis of the database reveals, rather worryingly, how many of their users are apparently ignorant of password security, with the top three passwords being "123456", "password" and "12345678". Other notable entries included "qwerty", "letmein" and "whatever". I assume the entry they've labelled as "f---you" has been censored and originally had letters in place of the dashes. Then again, Gawker themselves presumably aren't too hot on security, since one of the top passwords was "0" - haven't they heard of setting a minimum password length?
Read the full sordid details over at this WSJ blog entry.
Comments
passwords
Well, the major commodity that WSJ, like all its corporate brothers, sells these days is fear. Not to down play what the little 4chan twits are doing, but the passwords I use for such news sites aren't as secure as what I use, say, here. And that is nothing like what I use for the bank (and I don't even have any money in the bank three weeks a month).
My Gawker pw is so dumb it didn't even make the list! Or maybe that makes it cleaver. But who really cares about their Gawker identity? I think that list of passwords would be different if Gawker was a different kind of site. At least, I hope so.
Dumb passwords
Although some people might use a dumb password for Gawker and more secure passwords elsewhere, it's fairly likely that many of the users have one set of login credentials which they use everywhere... a recipe for disaster!
I'm not quite paranoid enough to keep all my passwords in a paper notebook - besides which, I log into some sites from work as well as home. However, there is an alternative which is almost as secure - the password manager.
Password Manager software (preferably third party rather than integrated into the browser) stores all your passwords, and will offer to autofill them in on sites you visit. One that usually appears on the recommended list by both computer magazines and computer security experts is "LastPass". Your passwords are stored on their central server, but under 256-bit AES encryption, and only ever decrypted on your local computer.
To give you an idea of the safety of the encryption, an organisation called distributed.net took part in an RSA Labs challenge at the turn of the century to brute force crack a short block of text using 64-bit RC5 encryption (a slightly older standard than AES). Using the spare CPU cycles of thousands of computers, it took them nearly five years. In 2003 they started working on cracking 72-bit RC5. Despite thousands of computers worldwide tackling the problem, they're currently less than 1.5% through the keyspace after seven years. Now imagine how long it would take to crack 256-bit RC5... then bear in mind AES is a more advanced algorithm...
Anyway, in addition to storing your passwords, LastPass also has a password generator, which will generate pseudo-random passwords of any length (I tend to use a minimum of 12 characters), featuring a mix of upper case, lower case, numbers and (for sites that will accept them) 'special' characters (i.e. punctuation marks). Because the program will auto-fill your login details into websites, you only need to remember one master password - which ideally should be as long as possible and difficult to guess as possible, while simultaneously being easy to remember and type (to deter shoulder surfers)·
There are 10 kinds of people in the world - those who understand binary and those who don't...
As the right side of the brain controls the left side of the body, then only left-handers are in their right mind!
Feeling Smug
Although I'm not a Gawker user, and am not affected by this, I'm feeling justified in the steps I take to maintain login security on all the sites I use. Call me paranoid, but I've never felt that the people who run websites could be trusted; not necessarily trusted to be honest, which might be an issue, but trusted to be competent enough to keep away the bad guys who are definitely dishonest.
So, with a certain degree of inconvenience, I adopted a simple firewall approach to password security: I use a different one on each site I use, and often a different login name, too. I believe this runs into the hundreds now, several of them involving important stuff. No, there is absolutely no way I can remember this stuff, so I have to write it down. It lives in a small nondescript notebook which never leaves the house. Ever. It's not online. It's not in a computer. Inconvenient? Absolutely. As inconvenient as having someone steal your password from one site and use it to cause mischief, steal your online identity, take over a website you run, or even raid your bank account? Nope.