The hacking of the Gawker comments database is a good wake-up call for those who’ve been somewhat lax in terms of password protection. In other words, pretty much of all of us.
As sites proliferate, we create more and more accounts. And while we know that it’s best to create a unique password for each site (preferably one avoiding words found in the dictionary), it’s not practical to remember dozens of random, unique codes.
Below I’ve provided some suggestions on how to tackle this problem.
But first, I thought it might be helpful to share a copy of the email sent out by Gawker today, or as summed up by a friend, @media_maven who was a recipient, “Dear user: you’re fucked!”
Here’s the official version:
Subject: Gawker Comment Accounts Compromised -- Important
This weekend we discovered that Gawker Media's servers were compromised, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name and password associated with your comment account were released on the internet. If you're a commenter on any of our sites, you probably have several questions.
We understand how important trust is on the internet, and we're deeply sorry for and embarrassed about this breach of security. Right now we are working around the clock to improve security moving forward. We're also committed to communicating openly and frequently with you to make sure you understand what has happened, how it may or may not affect you, and what we're doing to fix things.
This is what you should do immediately: Try to change your password in the Gawker Media Commenting System. If you used your Gawker Media password on any other web site, you should change the password on those sites as well, particularly if you used the same username or email with that site. To be safe, however, you should change the password on those accounts whether or not you were using the same username.
We're continually updating an FAQ (http://lifehac.kr/eUBjVf) with more information and will continue to do so in the coming days and weeks.
Gawker Media
For most of us, receiving an email like this will bring on a sense of immediate panic. Quick, off the top of your head, can you think of all the sites where you’ve registered with a password? Sure, the first 8-10 come to mind quickly, but after that, who knows?
For those affected by the Gawker breach, the immediate thing to do is identify the high-risk sites where you’ve used the same password as you did on the Gawker commenting system. Those include social media sites (Facebook, LinkedIn, Twitter, MySpace) plus other heavily used sites like gmail or Digg. I’d assume you don’t use the same password for financial accounts, but if you do, obviously change those first.
Next, change the password for any site where you might have entered credit card information (don’t forget Paypal).
Tackling those will eliminate the biggest risks. Now, it’s time to start thinking about a more bulletproof password policy, which will help you avoid this problem in the future.
First, at the risk of stating the obvious, your password should never be your first or last name (or, for crying out loud, “password”).
Next, you’ll want to come up with your core password(s). I’d recommend you have three levels of passwords.
1. The most secure (banking, credit cards, etc) should be a non-obvious password. It should probably have at least 8 characters and some of those should be symbols rather than letters or numbers. Use a mix of upper and lower case (most, but not all sites are case-sensitive).
2. A fairly secure password used for any ecommerce sites. I’d also use this for sites like Facebook, iTunes, Twitter, etc. where there is a potential negative impact to someone getting access. I’d also make this one 8+ characters and use at least one symbol.
3. A third password for low-risk sites. These could be unpaid registrations for news sites, commenting sites (like Gawker) and any other site where you need an ID but never divulge valuable information.
Ok, now you’ve got three passwords, but you haven’t Gawker-proofed yourself. If one of those sites is hacked, your password could be used at any of the others.
In this scenario, I’m using the following 3 passwords. I’ll use bands I like as the core, so I can more easily remember them. You can pick anything you'd like, but make it something not obvious to the casual visitor to your Facebook page, for example.
1. !LouReed
2. TheCl@sh
3. Runaways
The next step is to add a unique character or two to each password based on the site where you’re registered. The easiest way to do this is to add a letter or two from the site name (or URL) to your secure password.
For example, using password2 for Facebook, it might be FaTheCl@sh. For LinkedIn, it could be LiTheCl@sh. For even greater security, insert the site-specific letters into the middle of the password. Or, rather than the first 2 letters of the site, take the last two in reverse order (“Ko” for Facebook, “Ni” for LinkedIn).
At this point, you should be able to create completely unique and difficult to hack passwords for each site, yet easily remember them.
The last step is designed to make sure you change the password frequently. It probably makes sense to change your passwords quarterly, at least for the high security sites. An easy way to do that is to change them at the start of each quarter. Add the number for the current month to the password.
So, if I were using password2 on Facebook, and it was the beginning of the second quarter, my password would be FaTheCl@sh4. In July, at the start of Q3, I’d change it to FaTheCl@sh7.
The last thing I’d suggest is to minimize the number of sites where you have to create a user ID. Visiting an eCommerce site that you’ve never used before (and don’t plan to use again)? Put away the credit card and use PayPal. That’s one less place holding your credit card info. For commenting on blog sites like Gawker, many sites use third party platforms like Disqus or allow you to connect via Twitter’s oAuth. Use these approaches wherever possible (and I encourage blogging and news platforms to adopt them as well, rather than using proprietary comment systems).
Is this system impenetrable? Hardly. But like the camper being chased by the bear*, you don’t have to have the most secure password in the world. You just need yours to be more secure than most others, so it’s not worth the effort to hack yours.
(* for those who don’t know the joke, 2 campers are being chased by a bear. One says “quick, run up this hill”. The other responds “you’ll never outrun the bear”. The first responds “I don’t have to outrun the bear; I just have to outrun you”).
Of course, you’ll want to take this approach and tweak it to meet your own needs. My passwords don’t follow this precise format, but they use a similar variation.
What methods do you use?