About the author

Christine

I'm a geek with a love for all things tech. I'm also an online business consultant with expertise in SEO, SMM, and digital marketing strategies.

Related Articles

12 Comments

  1. 1

    AJ Robins

    These days, given how easy it is to have multiple passwords, it really doesn’t make any sense to use the same password more than once. You (Gina) even gave one example of how to do this. I did change my Gawker password, just in case, even though (1) it’s unique to Gawker, and (2) it’s not in a dictionary, even in mangled form. I think the issue here is that, given the availability of hashed passwords, brute-force password guessing might now be viable for many passwords (I’m thinking GPU processing, here).

  2. 2

    Siira

    Like you tweeted, there are way too many users using dictionary words or very easy to guess passwords. I don’t know what “24862486” means to Nick Denton, but certainly it’s a low security password. I don’t know what #gnosis used to gain access in the first place, but considering the passwords from gawker staff (which are in the readme.txt of that torrent), it could not have been hard to “guess” any of them.

    Let it be a reminder for those of us not already using something like Lastpass and using different passwords for every website to get an addon like this and start changing passwords everywhere.

  3. 3

    Jimmy Blake

    Well, that certainly gave me the push I needed to finally bite the bullet on getting LastPass.

    I do have a stupid question though, and I’m not sure if you know or not Gina, but I’m really curious as to whether Lifehacker actually stored passwords in a directly decrypt-able format or if this is a case where hackers got the md5 and salt of each users password and was able to brute force out the likely collisions from there?

    If passwords were really stored in a directly decrypt-able format… well, that kind of scares me.

  4. 4

    Pies

    Another point for federated logins, like Facebook Connect or ‘Sign in with Twitter.’

    Seriously though, are they brute-forcing the passwords, or were they stored in a non-secure way?

  5. 5

    Gina Trapani

    The passwords were stored encrypted, but they were able to brute-force the simplest ones. That’s why 200k of the 1.24M are unencrypted.

  6. 6

    Jimmy Blake

    Thanks for the clarification Gina. That makes me feel a little more secure about this one, as my password wasn’t exactly a dictionary word, but I’m still glad I’ve generated new passwords through LastPass for everything.

    Just a note: you may want to nudge Lifehacker to clarify this one too, as I think the site is looking worse than it has to for this, as the way everything reads at the moment, it was sounding like passwords weren’t hashed and were actually decrypt-able directly instead of through brute forcing them individually.

  7. 7

    rogowar

    It’s nice they alerted everyone, but I’m unable to change my password, the save fails every time.

  8. 8

    Siira

    To add to the encryption part. For what I have read it’s actually DES that is being used. So the passwords are encrypted, but it is an old encryption mechanism.

    Nevertheless, it’s always best to keep stuff contained no matter how good the service is in keeping your data private. My policy is to always expect the worst and act accordingly. In this case, using a hard-to-guess password and using Lastpass to help me remember them. 🙂

  9. 9

    AJ Robins

    Yow, I haven’t been reading the details, but I really, REALLY hope that they weren’t encrypting the passwords, but were using hashed passwords, instead. For passwords, there really isn’t any reason to use an encrypting/decrypting mechanism, and so hashes are more secure. Also, I’d hope that, if hashes were really used, they’d be adding at least one item of salt to each hash; however, given the seeming ease with which so many passwords were apparently brute-forced, maybe not.

  10. 10

    AJ Robins

    (Responding to myself.) Duh, I need more coffee. I’d forgotten that the entire database was compromised, and so the attackers would have any pieces of salt. Double duh.

  11. 11

    ouroborosx

    People are talking about users using bad passwords but lets not forget who’s fault this is. It’s gawker’s fault for having such bad security in the first place. How the heck do you get your whole password file stolen? That’s out in the early 90’s

    Lastpass sounds okay, until their password file gets stolen?

    I’ll keep doing it my way. A couple of very good passwords for the things that matter and one or two passwords for the throw away stuff like commenting on websites.

    But again, how did Gawker have the password file stolen. It’s such a joke.

  12. 12

    Beelev

    Kind of stunning that the first inkling I had of this was logging into FB I was told that someone else had accessed my account last night. How they got from a to b do not know or understand. Picture, email accounts, etc., all vulnerable. Working backwards I found an email not from Gawker, but from “teamhint”. Gawker email showed up 12 hours later. Hard to understand why Gawker/LH/Gizmodo were so arrogant with our information.

Comments are closed.