Gawker Hack Proves Password Security Sucks
Gawker isn’t a tiny fly-by-night website. Rather, it is a big internet media conglomerate that runs several high-traffic websites. Like many websites, they make you create an account in order to comment or access certain material on their websites. Their user accounts database was hacked and then posted online. Although passwords were encrypted, they are now being unencrypted by hackers. This latest security fiasco shows that online security is a relative term.
As a freelance writer I read a lot to stay current as well as for pleasure. Sometimes, I like to participate in a conversation or online community. Like many users, I consider the user accounts created for no purpose other than being able to comment on a website or participate in their forums unimportant. Thus, like many users I got lazy about the security of those accounts.
Often, I comment on only a handful of articles. Sometimes, I comment on just a single article. Creating, remembering, and using a strong password for these accounts is not worth the hassle. Fortunately, the LastPass plug-in has solved this issue for me by allowing me to generate a secure password, save that password, and most importantly, make said password available on any computer I use.
Unfortunately, there are many, many, websites and user accounts out there that I used prior to implementing LastPass. On many of those I used a strong password. However, that password was re-used on multiple accounts. That means that changing my Lifehacker.com password after the Gawker hack (Lifehacker is one of Gawker’s websites) isn’t enough. The same username and password combination may exist on other websites that I have used in the past. Those that were imported into LastPass were easy to track down. It’s too bad there are a lot of them. I’ll have to waste time changing them all manually.
The thought of just leaving them since, as I said earlier, they are not "important" has occurred to me. However, there are two major problems with that strategy. First, and foremost, I don’t want someone impersonating me in such a way as to damage whatever reputation I have with a certain community. Second, while I fake info most of the fields required to sign up for user accounts like these, there might be some real data out there that I don’t want someone finding.
Staying Secure Online Gawker Lessons
The Gawker security breach provides some unpleasant lessons. The two biggest issues are not even being addressed by the media, tech bloggers, or anyone else. I find that more than a little disturbing. Unless we get details on how exactly the Gawker hack happened and find that it was a grossly incompetent security setup that was breached, we have to assume the following.
- Any site can be hacked.
- Even encrypted passwords can be unencrypted.
Which brings me to some very unfortunate requirements for online security for users.
- Leave as much information blank as possible when signing up for anything online.
- Fake as much information as possible when it is "required" by the site.
- Change real information to fake information as soon as possible. (For example, you have to use your real address when something is being sent to you, but you can change it to 55 Baloney Way as soon as you receive it.)
- Never use the same password more than once.
- Never store your passwords online.
The last one is the one that really bothers me.
You see, LastPass stores all of my passwords and usernames online. Big websites try and make this less scary by calling it "the cloud". Either way, it’s a database that can be attacked, breached, and copied. Even though those passwords are encrypted, it’s only a matter of time to unencrypt them.
How juicy of a target would LastPass be for hackers? Once compromised, how many usernames and passwords would you have to change just to be safe?
The user accounts compromised by the Gawker breach are annoying to me. The ones stored on LastPass could ruin me.
I’ll do some research before doing anything hasty, but it would seem that unless I can store my LastPass passwords locally without online storage, I’ll have to go back to using KeePass and replicating the database to my computers instead of keeping my data "in the cloud."