Everyone Knows Your Password: Lessons for Bloggers From the Gawker Hack
If you've ever commented as a logged-in user on Gawker Media blogs such as Jezebel, Lifehacker, Gizmodo, io9, or Gawker itself, you need to change some passwords. Last weekend the entire commenter database from Gawker was hacked into, copied, and widely distributed.
Here's what that means for over 1 million commenters on Gawker blogs. If you made an account, it has a username, a password, and an email address. If your email name was email@example.com, and your password was qwerty, that password was encrypted and stored in a database on Gawker's servers.
Many people now have your email and that password. You might think, "So what. Someone might comment as me on Jezebel. Not the end of the world." But if you've ever used that email and password anywhere else, say, on Twitter or Facebook, for your own blog, or for Amazon.com, your accounts can easily be broken into. If I had that database, and wanted to do some identity theft, I'd make a list of common sites, and write software to try to log into them all with the 1 million sets of emails, user names, and passwords. It wouldn't take long to get to some credit card numbers.
If you use the same password in many place, you should start changing your passwords immediately. Start with your email accounts. Change them first! Then double check anywhere that you store credit card or other financial information. If you have sent passwords, credit card numbers, and other confidential data over Facebook messaging, you also need to change those passwords quickly.
I'd like to go into more depth in two areas for BlogHer readers. The first is a set of recommendations for how to manage your passwords. The second is a little more background on the Gawker hack.
At BlogHer '10 I recommended that people have various levels of password. You might have a password you use on sites where you comment, read, or do other casual interaction -- a low security password. Don't use that password on accounts where you keep private information. You need another password for accounts you absolutely need to keep secure. And I recommend you have another completely different password for your main email address -- don't use that one anywhere else.
Once your email address is hacked into, someone can use your email address to reset your passwords on other accounts -- like PayPal, or your online banking. If you think about it, your email is the key to all your other online identities.
Passwords should be hard to guess, and hard to crack by brute force. They shouldn't be dictionary words, or names of people or pets or sports teams with your birth year attached. They shouldn't be your phone number. And they should not be passwords that are on known lists of commonly used passwords, like qwerty1 or 123456. Here's a list of 500 common passwords. Are your passwords on that list? Last time I asked this question in a room full of people, half the room had to raise their hands.
If you want to have help keeping track of your passwords, use a password manager like LastPass, OnePassword, or KeePass. They take some work to set up, but once you have them in place they can be very useful. If you don't use a password manager, try to think of a good system to generate good passwords that you will remember. I would rather that our readers have good passwords that they keep in a file cabinet at home or in their wallet, than that they use "qwerty1" across all their accounts. If someone steals your wallet, you will know to change your passwords just like you know to cancel your credit cards.
So how were Gawker's servers hacked? It sounds like a brute force attack was used against Gawker's Campfire project management account. Campfire didn't prevent bots from guessing passwords and trying to log in many times in a row, so brute force had a chance to work. Once the Gnosis hackers were in the Campfire account, they copied it and found some sys admins telling each other server passwords. They could log into the servers and find security flaws, get root access to the servers, and copy the database files. Since the entire commenter database file was copied, people have had plenty of time to crack the passwords. The passwords were stored using DES encryption, which can be cracked within a few days. The database was then distributed widely. Thousands of people have copied it and are still copying it.
It can be interesting to check if a particular domain name or email is in the database. I would trust Slate's interface for checking if your email address was associated with a password on Gawker: Was your Gawker password hacked?. A less reputable site might harvest those queries and use them in some way, so be cautious about the way you check. You might want to wait until Gawker is sure it's secure before changing your password on *their* blogs; I don't think that's certain yet.
If you want to look a little deeper, you can see more of the database exposed in Google Fusion tables, searchable by domain name (not by full email address) or by the MD5 hash of a full email address. Of course, the full db files are not hard to find and download. Coding Horror and other blogs published the Gawker Bug of the Day.
The lesson for BlogHer readers, who are likely to be running blogs themselves, is that you too are a web publisher who may be keeping user information. If other people log into your site, you have a responsibility to learn how their data is stored and to keep it as safe as possible. Keep your software updated. And if your site is compromised, let your registered users know as quickly as you can, so that they can have the information they need to change their passwords everywhere else.
If you are interested in computer security (and you should be!) take a look How to Spy on Open Wifi Hotspots: A Security Warning!. And if you want to be scared into changing your passwords, please read the liveblog of my talk at BlogHer '10, Fight Spam and Hackers, along with the awesome Fight Spam and Hackers slides, which are full of tough women with passwords like diamonds.