Gawker hack: Another glimpse into password practices

Are people getting any smarter about password protection?

Have we learned nothing from rockyou.com?

You may recall that earlier this year, security firm Imperva analyzed 32 million passwords that a hacker stole from an application developer called rockyou.com and found that many people were using simple ones, including "password," "rockyou" (the name of the site) and strings of sequential numbers.

Now hackers have once again stolen and posted passwords, this time from Gawker and its related sites, including Gizmodo and Lifehacker.

The most common password, according to a Wall Street Journal analysis of the data dump: "123456," used by more than 3,000 registered Gawker users.

After that:

password
12345678
lifehack (a variation of one of the site names)
qwerty
abc123
111111
monkey
consumer
12345
0
letmein
trustno1 (Fox Mulder's password on "The X Files," and he should have known better.)

The WSJ has 50 top passwords from this latest hack, and a detailed analysis.

Security experts recommend people use "strong" passwords, generally defined to be randomized strings of letters, numbers and symbols, with some letters capitalized, not based on any words with personal significance (don't use your dog's name or child's college name, for example). And they also recommend that you have a different password for every site that requires one, change them often, and never write them down.

Most ordinary people find this advice to be laughably unrealistic -- creating and, more importantly, remembering a couple dozen such strong passwords without writing them down is pretty much impossible. (And for sites where the access is needed only to read and comment on articles, with no payment or personal information stored, many people think complex passwords are superfluous.)

But when we asked our readers, after reporting on the rockyou hack, for tips, we got a few really good ones. Among them:

  • Open a favorite book to a random page and find a phrase. The phrase becomes the password. You can write down the page and line number safely -- it will look like "73 14," and it's doubtful anybody will know what it means. If someone does figure it out, they'd still have to guess which book.
  • Memorize your finger movements when you create the password. When you change it, start on a different first key but make the same movements. You end up with a new, unguessable password already stored in your muscle memory.
  • Combine meaningful phrases and dates with other symbols and codes. One reader told us: " I went to Disney World in 1996, so I start with '96DIsneyworld' (using uppercase for the first two letters). I precede that with two special characters that I always keep the same. Then I precede that with the first letter again in lowercase. That gives me d,,96DIsneyworld.' To avoid using the very same password on all my various accounts, for each one I add a lowercase letter just after the digits that represents the system to me (e.g. 't' for the Timesheet system, 'e' for e-mail). This would give me 'd,,96tDIsneyworld' for my Timesheet password. "
  • E. Miller of Portland, Ore., recommended making passwords out of stories. "'I walked down Bourbon Street with Sarah in 1992' can be 'bourbon1992Sarah' or many other variations."

About the Author

Technology journalist Michael Hardy is a former FCW editor.

Reader Comments

Tue, Dec 21, 2010 Dave

Love the comment about dictionary attacks! If my account locks out after three failed attempts (most DoD, I think), then what possible value is a dictionary attack? I'd also like to know why they store our previously used passwords: the claim is that we're not allowed to repeat, so this allows the software to prevent repeats; but if you and your hackable system aren't storing my old passwords, how will any hacker know if I'm repeating them over time?

Mon, Dec 20, 2010

Some sites, thankfully not yours, require a user ID and password to post comments. WHY? What value is added? The comment stands or falls on it's merit. Only conceited egotists feel they need credit for their brilliant posts. The rest of us just want to comment and be done with it. Don't require unnecessary passwords, and you won't have to worry about people cracking them.

Fri, Dec 17, 2010 Security Guy

I have a 15 random character password for sites that have my credit card information, or other financial data. For other sites, I use a simple, easy to remember password. The worst that can happen is that someone posts with my name? Who cares? And if the site, such as Gawker is hacked, you have gained no nothing of value from me.

Thu, Dec 16, 2010 Idan Shoham

It seems that major breaches like this are becoming quite common. What does that say about the security thinking among people operating the compromised system, and about the security thinking among end users? If you operate a major web site, a big security compromise like this can kill your business. Not investing enough time, money and infrastructure in security means putting your organization at risk of major harm, because of bad press, lost end users, lost advertisers, etc. This is a big deal. If you are a user whose password has been compromised, I guess it depends on how many other systems you sign into with the same ID/password and whether you care about compromise of any/every account that uses the same credentials. At a minimum, once you learn about a compromise like this, you should change your "standard, used for systems I don't care much about" password everywhere. In either case, you can learn about effective password management practices: for organizations (http://bit.ly/dPhpkx) and for end users (http://bit.ly/fewec9) - Idan Shoham, CTO, Hitachi ID Systems

Wed, Dec 15, 2010

At work we have to change passwords periodically. The software remembers the old passwords and prevents you from using one similar to an old one, and most need to be 12 characters or more with the usual mix of letters numbers and special characters. Most people write them down somewhere.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above