Thursday, December 16, 2010

Gawker Media Account Database hack

I'm sure you have heard about the release of about 1.5 million username / password combinations (encrypted with DES). I have gotten e-mails from a few web companies saying that I should re-set my password. These companies include LinkedIn and Blizzard (for my World of Warcraft account).

Since my roommate didn't get an e-mail from Blizzard (as he doesn't have an account on any Gawker Media website) and I did, I can only assume that Blizzard downloaded the hacked account database and compared it to their account database. Any matches where to get this e-mail.

I honestly hope this is what happened and that Blizzard and LinkedIn didn't just randomly send out password reset e-mails. In this case the most responsible thing to do is download the file and cross reference it with your own data.

If you are wondering where you affected by this breach visit http://www.didigetgawkered.com/.

Yesterday I read both an Analysis of the hack and an Analysis of the Analysis. I am fairly certain that my password was unique in the database, but I do know that I used to use that password all over the place. A few months ago I started changing password and using KeePass to store them securely. I disagree with Wikidsystem's Analysis of the Analysis.

Yes, I was just as owned as the person using something insecure such as letmein or password. But the "owning" wasn't because of a weak password. Yes, I do have to copy and paste my passwords, but that doesn't make me a loser. I treat all of my online identities the same, as they are a representation of ME. The real losers are the ones that use any sort of username / password combinations on multiple sites. If you don't care that some sites might get hacked with the same username / password then fine, but I do. I want any potential fallout to be minimal.

Also, for things I truly care about, if a two-factor authentication mechanism is available I use it. The other thing more developers need to account for is LONGER passwords. My pseudo-random password generator generates long passwords, sometimes too long for an account. Please make the password field huge and don't store it in plain text. I hate having to cut down a password from 30+ characters to 8 because that is the longest your application will allow.

You see I don't care if my password is 30+ characters, because I don't need to remember it! Thats what I have KeePass for!

No comments: