Online news and gossip publisher Gawker Media was hacked last weekend with nearly 200,000 usernames and passwords released to the world.
The Wall Street Journal’s Digits Column tabulated the results and listed the top 50 passwords used by Gawker’s subscribers.
At first view, the reaction is to think what sort of idiot would use a password like 12345678 and would only confirm most IT and security professionals’ view that most computer users don’t protect their online details very well.
But on reflection, is using a weak password on a site like Gawker so bad? Most of the users listed have only created accounts to make a comment on one of Gawker’s websites, they aren’t using their Gawker account for anything vital and should their Gawker account be accessed the only thing the bad guys can do is post under the account name.
So if we assume that most of the 3,000 odd people that used the password 12345678 only do so for “disposable” accounts like the Gawker comments stream, then they probably haven’t risked anything at all.
In fact it makes sense to do so rather than to use a strong password which also happens to be your banking login or work account.
On my IT Queries site we suggest using a layered approach to passwords where services like Gawker, where it doesn’t really matter if the password is compromised, get a simple and easy password while sites where there are serious consequences like your online banking get strong and secure passwords.
We should always keep in mind that accidents do happen and that there are a lot of clever bad guys out there who are keen to exploit weaknesses when they see them. So security mistakes like Gawker’s will occur from time to time. The best we can do is to arrange our security so that when bad luck strikes us, the effects can be contained.
The real moral for all of us from the Gawker password hack is to take security seriously and not to use the same password on every site we visit.