What I learned from the Gawker hacker debacle
I’ve always considered myself to be a pretty savvy internet/computer type of guy. I’ve never fallen for any of those Nigerian prince 419 scams, my computer has never been infected with a virus, and I’ve never even been successfully Rickrolled. But I, and hundreds of thousands of others who happen to belong to one of Gawker Media’s blogs (Deadspin, Gizmodo, Fleshbot, Lifehacker, etc.) got a very rude awakening a few weeks ago.
That’s when it was revealed that a group of hackers called Gnosis has successfully hacked Gawker’s source code and databases and made off with, among other things, the entire database of Gawker’s commenter accounts. Two important facts came out of this security breach: one, Gawker’s security sucks and two, way too many people are way too lazy with their passwords. (There’s a whole backstory behind who Gnosis is and why they went after Gawker specifically, but I’m not interested in rehashing that here.)
How do I know this? I downloaded the torrent file containing the information Gnosis found. Specifically, text files containing said usernames and (for many of them) their passwords. There were a shocking amount of people content to use brilliant passwords like “password”, “12345”, “qwerty”, or some variation of those. The Wall Street Journal dug through the same information I obtained and found the 50 most-used Gawker passwords, which were shared between nearly 200,000 accounts.
I found my username in the Gnosis download, but instead of showing my password it showed the encrypted hash. That doesn’t mean someone couldn’t or didn’t get my password but it at least proved that my password was somewhat adequate. Nonetheless, I immediately changed my Gawker password to a stronger one.
I’ve also begun systematically reviewing all my other passwords for vulnerabilities. I never recycled the same password for different sites and applications, although I had developed a base password to which I would add letters or numbers related to each site. Not the most secure system, but it was better than “letmein”.
But that’s obviously not enough anymore. So here are the measures I’ve taken for all my accounts:
- I downloaded the latest version of KeePass. It’s an offline program that stores usernames and passwords in an encrypted format. All I have to do is remember my KeePass password.
- I changed the passwords for all my accounts, using KeePass’s automatic password generation feature. I set it to the maximum length allowed by each site/application. I started with any sites that contained personal financial information (banks, Amazon, etc.). I know some would argue that allowing sites like Amazon to store credit card information is foolish, but I’m not ready to go all Luddite just yet.
- I verified the passwords using password strength sites like this or this. (note: I changed a handful of characters before trying these sites. Never enter your password on a site it wasn’t intended for.)
- To allow for some level of portability, I have Dropbox installed on any computer I also use KeePass on. This allows me to access my sites from more than one trusted computer without going nuts transcribing or remembering passwords.
- I regularly clear locally stored internet data using CCleaner. I then use KeePass’s Auto-Type feature to get back into my sites.
- I plan on generating new passwords based on site sensitivity (financial/email passwords will be changed monthly, random message board passwords maybe once a year).
- I will be deleting any accounts I don’t plan on using again.
I’m sure some will quibble with some of my choices, but I think this general plan strikes a good balance between security and convenience. It also allows me to take a more active role in managing my online security, which is something everyone should do. It’s too easy to get complacent about these things. That’s why I’m not doing what some suggest, which is to base password strength on the importance of the site. It’s too easy to fall into the trap of laziness that way.
It wasn’t too late for me to implement these measures, and hopefully it isn’t too late for you as well. After all, it took me forever to get my Deadspin account starred, and I’m not about to let some damn hacker ruin that.
Max Power
Sharing passwords across sites is fine, as long as you separate them by the level of risk of each one. For example, accounts for commenting on blogs can use the same password, but you want to have a different password for a bank site.