Dec 152010
 
padlock on a cd drive

Online news and gossip publisher Gawker Media was hacked last weekend with nearly 200,000 usernames and passwords released to the world.

The Wall Street Journal’s Digits Column tabulated the results and listed the top 50 passwords used by Gawker’s subscribers.

At first view, the reaction is to think what sort of idiot would use a password like 12345678 and would only confirm most IT and security professionals’ view that most computer users don’t protect their online details very well.

But on reflection, is using a weak password on a site like Gawker so bad? Most of the users listed have only created accounts to make a comment on one of Gawker’s websites, they aren’t using their Gawker account for anything vital and should their Gawker account be accessed the only thing the bad guys can do is post under the account name.

So if we assume that most of the 3,000 odd people that used the password 12345678 only do so for “disposable” accounts like the Gawker comments stream, then they probably haven’t risked anything at all.

In fact it makes sense to do so rather than to use a strong password which also happens to be your banking login or work account.

On my IT Queries site we suggest using a layered approach to passwords where services like Gawker, where it doesn’t really matter if the password is compromised, get a simple and easy password while sites where there are serious consequences like your online banking get strong and secure passwords.

We should always keep in mind that accidents do happen and that there are a lot of clever bad guys out there who are keen to exploit weaknesses when they see them. So security mistakes like Gawker’s will occur from time to time. The best we can do is to arrange our security so that when bad luck strikes us, the effects can be contained.

The real moral for all of us from the Gawker password hack is to take security seriously and not to use the same password on every site we visit.

  2 Responses to “Password safety”

  1. Hi Paul, I like the idea of the layered passwords, BUT two things stand out for me: 1) people are likely to re-use that same password on other systems, and they may even be critical ones like banking sites. 2) there are a number of ways sites connect to other sites (Twitter Oauth, Facebook connect) where a compromise of 1 password could have ramifications on many other sites.

  2. Hi Andrew, you’re absolutely right on both points. Users need to be using different passwords on different sites with the more critical services having tougher, unique passwords.

    The cross authentication issue is a separate problem. I’d suggest there user need to be ensure they only use another service that is of the level as the one they are logging into.

    For example, if Twitter is a sensitive service to you then use Twitter to log into sites that you also feel are sensitive. Should you consider Facebook to be a critical service, then you would only use your Facebook login for similarly important sites.

    This subject is one that is going to continue to evolve as online services become increasingly important to our lives. Thanks for the comment.

Leave a Reply

%d bloggers like this: