5 Password Practices That Could Have Stopped The Gawker Attack
Password Practices Gone Awry
If there's one big takeaway from the Gawker Media hack it's the role of personal responsibility. Sure, the hackers used a brute force attack against Gawker's unpatched, outdated servers and shoddy encryption technology, to crack into the database, obtain 1.3 million login credentials, and then post them to bit torrent site The Pirate Bay. Then they went ahead and launched a spam campaign on Gawker users who reused the same password for their Twitter account.
But let's face it, they wouldn’t have been able to get as far as they did had Gawker account holders applied simple secure password best practices, such as using unique passwords for individual accounts, or coming up with something other than the word "password" for their password, to name a few.
While a bit late, here are few best password practices that would have helped Gawker Media users avoid a world of hurt down the road.
Simple Guessable Passwords
Nothing is more frustrating than spending time on the customer service line because you forgot your password. So it makes sense that users should pick a password that they can easily remember. In fact, two of the most widely used passwords include "12345" and "password" -- even for Gawker account holders.
Of course, this isn't such a great idea. If you can guess it, chances are hackers can too. Or they'll apply tools and software in an attack that can make guessing the password a whole lot easier. Relying upon a simple, easy-to-remember password potentially subjects users to brute force attacks that can expose sensitive data. And of course, if personal information, such as Social Security numbers or birth dates are included in the password, you're handing over personal information carte blanche that can later be used in identity theft.
So steer clear of dictionary words and up the ante with a combination of letters, numbers and symbols that can stump even the most dutiful of hackers.
Re-using Passwords
Banking. Amazon. PayPal. Yelp. These days, most users have so many accounts, it's almost impossible to keep track of them all. So why not make it easy and use the same password for each one, right?
There's just one problem: hackers who manage to compromise one account will surely have access to all the rest in one fell swoop. Case in point: Gawker account holders who used the same passwords for their Twitter account were subsequently pummeled with a spam attack soliciting an Acai berry diet product.
Meanwhile, not all accounts contain the same level of security. Subsequently, many users who re-use passwords for sensitive, financial accounts are opening themselves up for the inevitability of identity theft and fraud, should another password be exposed. Best advice is to use a unique password for each and every account, even if it takes a little more brainpower.
Sharing Passwords
It's always tempting to share passwords with a few close friends, co-workers or family members -- especially if someone needs to access your machine while you're away. What could it hurt? They won't tell anyone.
While seemingly harmless, sensitive information such as passwords sometimes has a way of falling into the wrong hands. Even friends and family can gossip and passwords can eventually get to those insiders who will gain unauthorized access to privileged systems or otherwise abuse them. So why play with fire? Best to play it safe and keep your passwords to yourself.
Easy To Access 'Password Reset' Or 'Password Retrieve' Questions
Okay, so you forgot your password. But not to fear ... you have your secret question to help you reset it. All you have to do is answer where you went to high school and your mother's maiden name.
While it seems like a secure way to reset your password, setting a secret question with easy-to-guess information is like straight up handing the keys to your accounts over to the hackers. Thanks to the Google and Facebook, most secret question information is easily found online. (Remember the Sarah Palin e-mail hack?) And needless to say, once hackers retrieve a password, they can then easily access all the other accounts that rely on that same login, or similar variations.
If you must provide secret question answers, make up the answers. There's no law written anywhere stipulating that you have to answer the questions honestly.
Static Passwords
If you've had the same account for more than a year, there's a good chance that it's been hacked. And once login credentials have been compromised, they generally sit on a database until they're ready to be used by cyber criminals for nefarious purposes.
So why make it easy for the hackers? Changing your password every four to six months puts the odds in your favor by making it difficult for hackers to access your account, even if the site has previously been compromised.
And wouldn't you feel a little bit better knowing that the hackers had the wrong password stored on their servers?