Well, my holiday plans saw a new item move to the top of the to-do list. I found myself with the pleasant task of sweeping through my password collection, because I was lazy and Gawker Media was sloppy.
It’s a lesson for anyone whose livelihood depends on secure systems remaining that way.
The big story was that over the weekend of 11-12 Dec, Gawker admitted in a post on its various sites— which include Deadspin, Fleshbot, Gizmodo, io9, Jalopnik, Jezebel, Kotaku and Lifehacker, as well as Gawker itself—that its central password database had been compromised.
It seems that the Gawker IT organisation had used the long-obsolete DES to encrypt the password store, had ignored at least a month’s worth of warnings that something fishy was going on, and had let its production servers get about three years behind on kernel patches.
In short, the company’s IT crew had utterly failed at its job.
As of the afternoon of 13 Dec, the company seemed to be placing as much of the responsibility on those users who chose weak passwords — which included Gawker founder Nick Denton’s “24682468,” or “password,” used by almost 2,000 accounts — as it did on its IT staff, who created the conditions that were so easily exploited.
Of course, I failed as well. As do many people, I have a few medium-strength passwords that I use on more than one site. “Easy to remember, hard to guess” describes these, and they’ll hold up against a dictionary attack, although I reckon that anyone who really wanted to crack them would do so, probably sooner rather than later.
Although I should know better, I made the mistake of changing my Gawker password to one of my garden-variety passwords during one of the site’s occasional authentication hiccups earlier this year. I’d meant to get around to resetting it to something fairly obscure, but didn’t.
The only thing I can claim to have done right is to use more than one ID for my personal business, and to keep my business e-mail traffic separate from my personal e-mail. Although I’m going to be extra careful about my identities and passwords for a long while, I don’t feel like much of a chump.
After all, I’m not the Gawker employee who encrypted the passwords using an insecure method, I’m not the Gawker IT manager who blew off three years’ worth of kernel patches, and I’m not the Gawker leaders who dared the Internet to hack away.
Those are the people who look like chumps.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…