No Gravatar

By now, you may have heard about the major security breach over at Gawker Media sites (like Gizmodo, Jalopnik, io9, etc.). If not, you can follow the link for the details, but the bottom line is that user names, email addresses, and passwords for *all* their users (and the editors/admins, source code, and other system files) were stolen, and the user names/emails/passwords posted on the Internet. I was one of those affected, but fortunately, the damage for me is minimal.

That's because, while my password there isn't very strong, it's also one I only use for site like io9 orJalopnik – blogs where I might want to comment. So it's possible someone will be able to impersonate me at some blog and make some stupid comment (or maybe a better one than I would have made!). 

Still, it brings up the point that I really shouldn't use the same password at multiple sites (and just because it's a blog site is no excuse not to use stronger passwords). I have changed it at the sites that used the same one, so I'm not too worried. And again, since I use much stronger passwords at more important sites (iTunes, banking, anyplace with shopping) I'm not overly concerned.

It is disappointing to see some of the conversations about this though – apparently, the hackers have been inside the Gawker sites for over a month, and even when Gawker admins first found out about a possible breach, it was only "the peasants" (i.e., the users – of of their editor's quotes) that they thought were infected, so it seems like they didn't take it very seriously. It's also disappointing that Gawker did store the information with encryption, but with only a 56-bit algorithm that was broken years ago.

Even if you're not affected, this is a good reminder to take a look at your passwords and maybe change a few at critical sites if you think they're not strong. There are programs to help with this, like 1Password, if you want something to manage all your passwords. I'm personally too cheap for that, and use the Keychain to manually manage passwords. 1Password is probably a better solution, though, and I'm considering it or something like it – I know several people who use it and swear by it. 

OS X has a nice password generator in it too – if you open Keychain Access, then go to the menu and click on File->New Password item, you'll get a dialog box asking for the item name, password, etc. Click on the Key symbol next to the Password field, and a password generator will come up. You can use it to set passwords of different lengths and types ("Memorable", for example, is easier for humans to recall; Random is completely random, with letters, numbers, and characters; Numbers Only is, well, numbers only – you get the idea). You can always copy/paste the output into some other program  – you don't have to finish making a keychain item (although you might want to – in case the web site is one of the many that doesn't let your browser "remember" the password).

These are some of the tasks that programs like 1Password will automate for you – they will stuff passwords into web sites even if the site normally doesn't allow your client to store them. Since the passwords are pretty well randomized, and protected by a master password on your client, this isn't really any sort of security problem (unless of course you give away your master password!).

My point is, use this as a reminder to think about your own security situation with regards to passwords, even if you aren't affected. It doesn't hurt to do a self-audit every once in a while.


Share →