Repeat after me: "Reusing passwords is BAD!"

Repeat after me: "Reusing passwords is BAD!"

Summary: a hacker group going by the name of Gnosis compromised the Gawker Media network (made up of popular websites such as Lifehacker, Gizmodo, Jezebel, io9, Jalopnik, Kotaku, Deadspin, Fleshbot, and Gawker itself) and liberated not only the source code for the site, but also the entire user database consisting of about 1.3 million usernames, email addresses, and password hashes. In an ideal world, this wouldn't be a problem, but we don't live in an ideal world, but this is far from an ideal world, so it has the scope to be a pretty big deal.

SHARE:
TOPICS: Tech Industry
28

a hacker group going by the name of Gnosis compromised the Gawker Media network (made up of popular websites such as Lifehacker, Gizmodo, Jezebel, io9, Jalopnik, Kotaku, Deadspin, Fleshbot, and Gawker itself) and liberated not only the source code for the site, but also the entire user database consisting of about 1.3 million usernames, email addresses, and password hashes. In an ideal world, this wouldn't be a problem, but we don't live in an ideal world, but this is far from an ideal world, so it has the scope to be a pretty big deal.

"Reusing passwords is BAD!"

The problem is not so much that someone could crack your password and post stupid stuff under your name all over the Gawker network (people seem capable of doing that for themselves ... just joking!), no, the problem is that people (many people, many people who should know better ...) reuse passwords. Folks think up one good password, one that they think they'll remember, and then they use this all over the place. Using the same password for say Gawker and here on ZDNet might not be that big of a deal, but using the same password on Gawker as you do at Amazon and Apple would be a big deal. If any one of these sites are compromised, you're open on all of them.

So, what can you do? Well, by far the best thing to do is make sure that you have a unique username and password for each and every web logon you have. That way if one is compromised, the rest are safe.

Note: It might not always be possible to have a unique username as many sites and services use your email address as the username, but I've found it useful to try to do this because you can also easily spot companies that are passing on your email address to third-parties.

"Reusing passwords is BAD!"

Once you decide that you're going to have a different password for every account, you'll quickly get to the point where you'll need a password manager to keep track of things. Not only will a password manager act as a secure repository for your passwords, but it should also make managing and creating new passwords for accounts easy. For years I went with a free, open source application called Password Safe. This worked great until I started using iOS powered iPhones and iPads more, then I needed something that was cross-platform. After a lot of testing I went with an application called SplashID on both the desktop and mobile devices. It's a great program that allows easy syncing of passwords between desktop and mobile devices.

Jon Oberheide over on Duo Security has carried out some analysis of the leaked data and discovered some interesting stuff. Out of the 1.3 million passwords he took some 560,000 crackable password hashes and used the John the Ripper tool to do the heavy work of cracking the passwords. Of the 560,000 passwords, it took Oberheide one hour on an 8-core Xeon machine to bust 190,000 passwords. Pretty good work. From this he created a top ten listing of the passwords recovered, and it makes interesting reading:

302 gizmodo 225 gawker 170 kotaku 86 Highlife 76 sample12 56 qaz159 42 bobafett 38 timosha 37 p4ssw0rd 37 okies

You might be expecting to see the password password appear high up in the top ten list. It doesn't not because people are too smart to use it, but because Gawker, like sites such as Twitter, maintains a list of banned passwords preventing people from using blindingly obvious passwords.

"Reusing passwords is BAD!"

Other stats relating to the passwords:

  • The vast majority (99.23%) of the cracked passwords were alphanumeric and did not contain any special characters or symbols.
  • Of the passwords that were alphanumeric, about 45% were composed of strictly lowercase alphabetic characters, 11% were strictly numeric, less than 1% were strictly uppercase alphabetic characters, and the rest were mixed alphanumeric.
  • Of those unique passwords, approximately 118,000 (62%) are used by only a single user (that is, they've selected a password that no one else has). Similarly, 17,000 (9%) are passwords that are shared by only two users and 5,000 (2.5%) are shared by only three users.

"Reusing passwords is BAD!"

So, the bottom line:

  • Stop reusing passwords!
  • Have in place an effective password manager - don't try to remember this stuff.
  • Change important passwords regularly.
  • Enjoy life!

If people didn't reuse passwords, this incident would be a minor hassle for those frequenting Gawker. But since some people are hell-bent on reusing passwords, a small leak turns into a really big deal.

Makes sense? Get to it then!

Topic: Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • . . . and select a better hash . . .

    And to the websites that had their passwords cracked: Select a better hash, and use a unique salt. Passwords shouldn't be this easy to crack :(.
    CobraA1
  • RE: Repeat after me:

    . . . and it looks like the Pirate Bay no longer has that leaked database available - I get a 404 error. Hopefully it doesn't come back.
    CobraA1
  • Careful about patterns too

    Also be careful about a fairly obvious pattern to generate "unique" passwords. I know someone who used to use her full initials (which few people know) plus the site or company, e.g., wxyzamazon.
    Rick_R
  • It's almost 2011 ...

    ... and the entire internet's security and identity model is <b>*STILL*</b> based on a user provided and typed username and password.

    We deserve what comes to us!
    bitcrazed
    • RE: Repeat after me:

      @bitcrazed

      That is because the random letter/number passwords that they want to give you on these sites are FARKING HARD TO REMEMBER!

      Hell, I have to keep a password reset thing that one site sent me with the random password (which I never changed) in Thunderbird so I can remember the damned thing!
      Lerianis10
  • RE: Repeat after me:

    Repeat after me, "This topic is worn out!"
    james347
    • RE: Repeat after me:

      @james347
      You say that, but still people use weak passwords. But I'd guess most of the folk who'd see this post wouldn't be in that category.
      steve_jonesuk@...
  • RE: Repeat after me:

    How many passwords can you remember when you access so many registered website?
    hellowiki
    • RE: Repeat after me:

      @hellowiki I totally agree with you. But thank God for that "Forgot Password?" feature. But then again, in e-mails, it's kinda hard for us to keep track of different passwords if you have like 4 or more e-mail addresses.

      http://myinternettvsoftware.com
      seangreyhanson
    • RE: Repeat after me:

      @hellowiki

      Only a very few, which is why I keep a password protected and ENCRYPTED rar file with a .odt file in it of all my passwords on various sites.

      About once a month, I have to go through it because even though I save all my passwords in Firefox and Chrome..... some aren't able to be saved that way.
      Lerianis10
  • password manager

    So you get yourself a password manager; so what you have a is a password to guard all of you passwords. Sounds like a plan.
    sashley_z
    • It's actually not a bad plan.

      @sashley_z<br><br>I have over 100 passwords in my password manager's database. The password protecting it is a relatively short 16 characters that contain no English words. In those 16 characters are upper and lower case letters, numbers and special symbols for roughly 12,933,699,143,209,908,517,669,873,647,616 possible passwords.<br><br>Just in case that didn't represent enough protection, the entire database goes through more than 51 million AES encryption passes just to add a time constant to any brute force attacks.
      Letophoro
      • RE: Repeat after me:

        @Letophoro only 100? cripes, you need to get out more... I would say that I should have well over 1,000 at least if I counted them all...
        quentinjs
    • RE: Repeat after me:

      @sashley_z yes because of the hundred or so forums I frequent occasionally, where saved passwords have been deleted with the cache in between visits, I want to open my password manager everytime. Sounds trivial, but when I want to post on a site it's usually a fairly impulsive thing, and having to arc up a password manager kills the impulse. I just decide I couldn't be bothered. (btw my password manager is a password protected excel doc - it contains passwords for forums etc. Any finance or security related passwords are in my head and not in any doc or software).

      Another way around this is to simply have classes of passwords. For example all my forum and social networking related user id's all match. My usename is pitdroidtech (so far I've never had to choose anything different - it's always available) and the password is.....NOT something Star Wars related ;-)

      That way I can have maybe 4-5 different passwords protecting accounts that allow money to be spent, that I memorise, then pretty much everything else uses the same password.

      It's not foolproof by any means, but it protects the important stuff while allowing me to manage my online life without need of a password manager.

      Another negative of a password manager, atleast a computer based one, it doesn't help if you are online somewhere else trying to log in to a forum.
      pitdroidtech
      • I do precisely the same

        @max_wedge

        I have three levels of passwords: "Level 1" is separate IDs and passwords for all critical accounts. "Level 2" is one ID and (difficult) password for several important, but not critical accounts. "Level 3" is one ID and (easy) password for a whole range of unimportant sites.
        Daniel Breslauer
  • Opinion Check

    Hey there,

    I want a quick opinion check of the readers here. To prevent flooding the boards, just a "Yes" or "No" answer please.

    Is using a password based on the website for low security sites an acceptable risk? By low security sites, I mean ones like this one, or Gawker or the like where you ONLY use the account to post comments.

    What do you think?
    Mikey
    mikey3211
    • RE: Repeat after me:

      @mikey3211, it's probably no big deal, but why not just have ONE password, something completely unrelated and complex, that you memorise ONCE for all your low security web sites like this one? Once you've memorised the password, and if it's sufficiently complex so won't be hacked, you can use it widely safely.
      pitdroidtech
      • RE: Repeat after me:

        @max_wedge
        I use the "simple but different passwords" approach for low-risk sites. It's not much more effort than just remembering one.
        My bank and shopping ones stay in my head.
        steve_jonesuk@...
  • Reusing Passwords

    Good advice Adrian, as usual. I'll be busy entering a lot of new passwords in the sites I visit.
    nikacat
  • RE: Repeat after me:

    I think it's overkill. Keep non-repeated passwords for your important stuff, for example banking or anything that has stored credit card details. Otherise I don't see the big deal.
    pitdroidtech