Hardware 2.0
Adrian Kingsley-HughesRepeat after me: "Reusing passwords is BAD!"
By Adrian Kingsley-Hughes | December 13, 2010, 2:05pm PST
Summary
a hacker group going by the name of Gnosis compromised the Gawker Media network (made up of popular websites such as Lifehacker, Gizmodo, Jezebel, io9, Jalopnik, Kotaku, Deadspin, Fleshbot, and Gawker itself) and liberated not only the source code for the site, but also the entire user database consisting of about 1.3 million usernames, email addresses, and password hashes. In an ideal world, this wouldn’t be a problem, but we don’t live in an ideal world, but this is far from an ideal world, so it has the scope to be a pretty big deal.
Topics
Blogger Info
Adrian Kingsley-Hughes
Biography
Adrian Kingsley-Hughes
Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.
Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs. His most recent books include "Build the Ultimate Custom PC", "Beginning Programming" and "The PC Doctor's Fix It Yourself Guide". He has also written training manuals that have been used by a number of Fortune 500 companies.
Adrian also runs a popular blog under the name The PC Doctor, where he covers a range of computer-related topics -- from security to repairing and upgrading.
a hacker group going by the name of Gnosis compromised the Gawker Media network (made up of popular websites such as Lifehacker, Gizmodo, Jezebel, io9, Jalopnik, Kotaku, Deadspin, Fleshbot, and Gawker itself) and liberated not only the source code for the site, but also the entire user database consisting of about 1.3 million usernames, email addresses, and password hashes. In an ideal world, this wouldn’t be a problem, but we don’t live in an ideal world, but this is far from an ideal world, so it has the scope to be a pretty big deal.
“Reusing passwords is BAD!”
The problem is not so much that someone could crack your password and post stupid stuff under your name all over the Gawker network (people seem capable of doing that for themselves … just joking!), no, the problem is that people (many people, many people who should know better …) reuse passwords. Folks think up one good password, one that they think they’ll remember, and then they use this all over the place. Using the same password for say Gawker and here on ZDNet might not be that big of a deal, but using the same password on Gawker as you do at Amazon and Apple would be a big deal. If any one of these sites are compromised, you’re open on all of them.
So, what can you do? Well, by far the best thing to do is make sure that you have a unique username and password for each and every web logon you have. That way if one is compromised, the rest are safe.
Note: It might not always be possible to have a unique username as many sites and services use your email address as the username, but I’ve found it useful to try to do this because you can also easily spot companies that are passing on your email address to third-parties.
“Reusing passwords is BAD!”
Once you decide that you’re going to have a different password for every account, you’ll quickly get to the point where you’ll need a password manager to keep track of things. Not only will a password manager act as a secure repository for your passwords, but it should also make managing and creating new passwords for accounts easy. For years I went with a free, open source application called Password Safe. This worked great until I started using iOS powered iPhones and iPads more, then I needed something that was cross-platform. After a lot of testing I went with an application called SplashID on both the desktop and mobile devices. It’s a great program that allows easy syncing of passwords between desktop and mobile devices.
Jon Oberheide over on Duo Security has carried out some analysis of the leaked data and discovered some interesting stuff. Out of the 1.3 million passwords he took some 560,000 crackable password hashes and used the John the Ripper tool to do the heavy work of cracking the passwords. Of the 560,000 passwords, it took Oberheide one hour on an 8-core Xeon machine to bust 190,000 passwords. Pretty good work. From this he created a top ten listing of the passwords recovered, and it makes interesting reading:
302 gizmodo
225 gawker
170 kotaku
86 Highlife
76 sample12
56 qaz159
42 bobafett
38 timosha
37 p4ssw0rd
37 okiesYou might be expecting to see the password password appear high up in the top ten list. It doesn’t not because people are too smart to use it, but because Gawker, like sites such as Twitter, maintains a list of banned passwords preventing people from using blindingly obvious passwords.
“Reusing passwords is BAD!”
Other stats relating to the passwords:
- The vast majority (99.23%) of the cracked passwords were alphanumeric and did not contain any special characters or symbols.
- Of the passwords that were alphanumeric, about 45% were composed of strictly lowercase alphabetic characters, 11% were strictly numeric, less than 1% were strictly uppercase alphabetic characters, and the rest were mixed alphanumeric.
- Of those unique passwords, approximately 118,000 (62%) are used by only a single user (that is, they’ve selected a password that no one else has). Similarly, 17,000 (9%) are passwords that are shared by only two users and 5,000 (2.5%) are shared by only three users.
“Reusing passwords is BAD!”
So, the bottom line:
- Stop reusing passwords!
- Have in place an effective password manager - don’t try to remember this stuff.
- Change important passwords regularly.
- Enjoy life!
If people didn’t reuse passwords, this incident would be a minor hassle for those frequenting Gawker. But since some people are hell-bent on reusing passwords, a small leak turns into a really big deal.
Makes sense? Get to it then!
Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.
Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.
Disclosure
Adrian Kingsley-Hughes
All opinions expressed on Hardware 2.0 are those of Adrian Kingsley-Hughes. Every effort is made to ensure that the information posted is accurate. If you have any comments, queries or corrections, please contact Adrian via the email link here. Any possible conflicts of interest will be posted below. [Updated: February 23, 2010] - Adrian Kingsley-Hughes has no business relationships, affiliations, investments, or other actual/potential conflicts of interest relating to the content posted so far on this blog.
Biography
Adrian Kingsley-Hughes
Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.
Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs. His most recent books include "Build the Ultimate Custom PC", "Beginning Programming" and "The PC Doctor's Fix It Yourself Guide". He has also written training manuals that have been used by a number of Fortune 500 companies.
Adrian also runs a popular blog under the name The PC Doctor, where he covers a range of computer-related topics -- from security to repairing and upgrading.
More from “Hardware 2.0”
Talkback - Tell Us What You Think
Monday 13 December 2010
Repeat after me: "Reusing passwords is BAD!" | ZDNet
via zdnet.com
