December 16, 2010, 8:03 AM — In the aftermath of the big Gawker security breach, a lot of ink is being spilled about passwords. Some of what you've been reading, like Dan Tynan's Seven lessons learned from the Gawker and McDonalds hack attacks here at ITworld, is solid, useful info for anyone who uses the web.
But I've also been seeing a lot of jeering posts about how people invariably pick bad passwords. When it gets to the point where even The Wall Street Journal is gleefully pointing out how pathetic some passwords are, I decided the time had come to step up and speak out for the other side.
I'm a Gawker reader and I use lousy passwords. My Gawker password wasn't quite as easy as "password" but it was a short word that the hackers have almost certainly cracked by now. Did I use this password because I'm ignorant? No. My bank password (for example) is much longer and uses a mix of upper and lower case, numbers and punctuation. I still imagine it could be cracked if my bank experienced a data breach, but it at least would take a little bit of time.
So why is my Gawker password so weak? Because I don't care! I read a few Gawker sites and every once in a blue moon I feel the urge to comment, and when I need to comment I need to log in. In a perfect world I wouldn't need to log in or have an account at all. I'd just write a comment and hit submit, but of course the comment spammers have ruined that experience for us. If someone hacked into my Gawker account it wouldn't matter to me. They'd get my 'casual' e-mail address, sure, but that's not connected to anything important. I don't use my real, permanent email on sites like Gawker. There's no data in my Gawker account that I care about. I do sometimes reuse that bad password, but only on other sites where I'm equally not concerned with security.
To put all this in context I urge you to read Coding Horror's excellent Rainbow Hash Cracking piece. In it, Jeff Atwood points out that the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker. That was back in 2007 when the piece was written. By now I'm sure it'd take even less time. Your "good" password probably isn't all that much better than these "bad" passwords that the pundits are lecturing us about.