Six password security tips to learn from the Gawker hack

By Bill Snyder, CSO |  Security, gawker, password

The Germans have a word for it: Schadenfreude, taking pleasure in someone else's misfortune. And I have to admit, I did a feel a twinge of satisfaction when Gawker, one of the snarkiest and most self-satisfied collection of sites on the Web, was hacked. But I do worry about the 1.2 million people whose passwords were stolen and posted on the Web for any moderately skilled bad guy to crack and use.

If nothing else, the attack on Gawker is what the President likes to call "a teachable moment," with lessons for anyone who uses the Web. (And speaking of the President, two of the stolen passwords were associated with the domain

Lesson One: Don't use the same password on multiple sites.

If the worst thing that could happen to Gawker users was that someone would post a fake comment, nobody would really care. But "attackers will undoubtedly be testing the cracked passwords against both personal and corporate services such as e-mail accounts, online banking sites, VPN remote access logins," Jon Oberheide, the co-founder of Duo Security, said in a blog post.

Duo technicians downloaded the Gawker file, and in just one hour solved 190,000 passwords; before long 400,000 were broken. Duo posted the 25 most common passwords on its site — but without identifying email addresses or user names — and that brings me to the

Lesson Two: Use a strong password, something many Gawkers users haven't figured out.

For example, 2516 Gawker account holders used "123456" as a password, while another 2188 used "password" for a password. You get the idea. Ideally passwords should contain a mix of upper- and lower-case letters, numbers and keyboard characters, such as # or ^. (Gawker posted as helpful list of FAQs after the attack.)

Lesson Three: Once you hear about a break-in, check to see if you're using that password and username on multiple sites.

If you are, change them. Here is a little widget that will tell you if your password was posted. Gawker sites include,, Fleshbot, Deadspin, Lifehacker, Gizmodo, io9, Kotaku, Jalopnik, and Jezebel.

Lesson Four: If you use online bill pay, or buy stuff on the Web, check your bank and credit card statements frequently.

Originally published on CSO |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question