A View from Christopher Mims
How to Prevent a Gawker-Style Hack From Endangering You
You don’t have to memorize hundreds of passwords to ensure hackers won’t compromise your online identity.
Here are two key facts for all those people who are going to be compromised by the breach and subsequent publication of 1.3 million usernames, passwords and email accounts combinations from Gawker.com:
1) Theoretically, this sort of thing could be happening all the time, owing to the large number of websites that now have at least one of our passwords.
2) It is pathetically easy to make sure this kind of attack never threatens your online security.
First, let’s start with the briefest possible outline of the facts. If you’ve already digested the rest of the coverage on this subject, you can skip the next two paragraphs, and if you already grok why it’s incredibly unwise to use the same password on multiple sites, you can skip the next four.
Hackers got into the commenter accounts database (and every other database, apparently) of Gawker.com. This database includes not only usernames and passwords, but also email addresses. We know because they made the entire database public–it’s available via BitTorrent right now.
Because so many people use the same password for absolutely everything–one survey suggests it could be as high as 75 percent–hackers everywhere now have access to encrypted versions of the passwords used by Gawker commenters and the email addresses for which those passwords are quite likely to work. The encryption on these passwords is weak, but the good news is that Gawker was only storing the first 8 characters of these passwords. If your password is therefore 10 or more characters long, you might be safe even if you didn’t change it on all the other sites on which you use it.
Plenty of people are going to change their passwords in response to this security breach. But for one reason or another, many won’t, which leaves them vulnerable for the foreseeable future.
More importantly, this attack points out a simple fact that we should all keep in mind when creating passwords online. When you use the same password for a bunch of different sites, you’re making that password only as secure as the weakest site on which you use it. Which is to say, the easiest way to hack into someone’s Google mail account is to find their password on some site with lesser security: This human element is the number one vulnerability in Gmail.
Here’s how you defeat this basic fact of internet security, which is that sooner or later your password will become public, by some means or another:
Guaranty Your Security By Memorizing Four Passwords and Using Them in Tiers
1. All of us have a throwaway password we use on sites we don’t care about. Good! Keep using this password on sites you don’t care about (like Gawker.com). If it’s ever breached, the worst case scenario is that now hackers have the one password you couldn’t care less about. Worst case scenario: They hack into your Last.fm account (etc.) and start posting embarrassing “likes.”
2. For sites on which you don’t want to be impersonated (Twitter, Facebook, etc.) use a second password, different from the first. Make sure it’s not a word in the dictionary, make it as long as you are comfortable making it, and make sure it contains special characters in the middle, and not just at the end.
3. For your primary email account, use a totally unique password, and make sure it’s long, contains special characters, etc. Your email account may contain information about other accounts you have, even passwords–this makes it a sort of “master key” that you must zealously guard with a password used on no other site.
4. For your really, super important accounts–we’re talking bank accounts here–use a fourth password that you don’t use on any other kind of site. You don’t ever want a hacker cracking that random web app you used, or a snoop using FireSheep, to spy on your Facebook login, to gain access to your bank accounts. (Granted, most of these accounts also have PIN numbers to prevent just such an attack.)
Anyway, that’s it. Four passwords: One is garbage, and you might as well scrawl it in plain text across your forehead. One gets used on sites like Facebook that probably have pretty decent security. And two very special passwords lock up only your bank accounts and your email. Contrast this approach with the advice from Lifehacker linked from the Gawker.com post announcing that the site had been hacked and that all users should update their passwords (as in, all of them):
You don’t need to remember 100 passwords if you have 1 rule set for generating them. One way to generate unique passwords is to choose a base password and then apply a rule that mashes in some form of the service name with it.
I, for one, prefer not to have to go through any mental gymnastics when trying to figure out what password I used for a site. Instead, I rest easy knowing that my garbage password is vulnerable, and the rest relatively safe.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today