Gawker and Passwords

Recently, hackers broke into Gawker’s (a media commenter thing) site and then published thousands of usernames and passwords. This prompted calls for people to change their passwords and even email addresses.

But here is why we should be more worried. The hackers who did this did one disservice — hacking — but another ‘kind of’ service — disclosing what they had done. This allowed people to take action; that is, unless you had a password like ‘1234’ or ‘password’ and therefore didn’t care about people breaking into your accounts.

The alternative was that they hacked and didn’t disclose it. Instead, they could have used the password information covertly. All of their monetary incentives (as they had got over the moral hurdle of criminal activity) were to obtain the information and sell it. Moreover, the information was at its most valuable if no one knew they had it.

The point is that the Gawker hack is the one we know about it. Surely, simple economics tells us that there are many others we don’t know about and so we are in trouble. Sadly this leads us down the route of regular password rotation. One of these days this mess is going to come to a head.

2 thoughts on “Gawker and Passwords”

  1. This brings to mind the original meaning of the word “hacking.” People hacked to satisfy their curiosity on how things worked. It moved into exposing poor/lax security and more recently the media simply attribute it to “bad things.”
    As Oliver posted link describes, Gawker has done something quite stupid. They actually store passwords in their database. There is absolutely no need for any system to store a password in cleartext or in a reversible encrypted format.


Comments are closed.