Recently, hackers broke into Gawker’s (a media commenter thing) site and then published thousands of usernames and passwords. This prompted calls for people to change their passwords and even email addresses.
But here is why we should be more worried. The hackers who did this did one disservice — hacking — but another ‘kind of’ service — disclosing what they had done. This allowed people to take action; that is, unless you had a password like ‘1234’ or ‘password’ and therefore didn’t care about people breaking into your accounts.
The alternative was that they hacked and didn’t disclose it. Instead, they could have used the password information covertly. All of their monetary incentives (as they had got over the moral hurdle of criminal activity) were to obtain the information and sell it. Moreover, the information was at its most valuable if no one knew they had it.
The point is that the Gawker hack is the one we know about it. Surely, simple economics tells us that there are many others we don’t know about and so we are in trouble. Sadly this leads us down the route of regular password rotation. One of these days this mess is going to come to a head.