Beyond the irony of Gawker releasing some of its own secrets for a change - or at least the emails and passwords of its users - are some sobering thoughts about how many of us are using weak and easily cracked passwords, or thinking up one strong password and using it everywhere because we can't manage to remember lots of strong passwords as well as where they're all for.
As we're not all going to get better memories overnight, it's a good time to switch to using password managers and even password generators (read on for our recommendations).
But do you need to change all your passwords today? It would certainly be more secure, but if the effort of changing everything is going to slow you down it's better to prioritise the ones that are most at risk. And those are the ones that are the same as your Gawker, Twitter or LinkedIn passwords (especially if those were all the same). Even more so if your email is in the list of those released from Gawker; if you trust Slate, you can use their handy tool to check your address.
But without a password manager, how do you know which sites you used that same password on? If you only use those sites once in a blue moon and you're not sure which of your repeating passwords you used there, how do you find out what it used to be to? Linked In has done a password reset for every email address that was disclosed from Gawker, so you can't go get a password reminder from them...
If you have a fingerprint reader on your PC and you let that remember your passwords, check the credential manager dialog in it, as that will probably give you a handy list. And if you let IE save your passwords for you, grab a copy of IE PassView (and no, it doesn't have a trojan in, but it does show up as a false positive in some antivirus software ). This will give you a handy list of what password you used on every site that's in the IE history; seeing how often you repeat your password can be a wakeup call. Mary
Locking the stable after the Gawker horse has bolted...
One option is to use a password manager to automatically generate strong passwords for you and automatically fill them in, all strongly encrypted with the one master password that's all you have to remember.
There are plenty of cross-platform tools out there that handle it all for you, like the open source KePass or the Mac user's friend, 1Password. I'm currently using LastPass, which has the benefit of a cloud-based password vault that syncs between all my PCs (Mac, PC and Linux), all my browsers (Firefox, Chrome, Safari and IE) - and, now I've signed up for a premium account, all my phones, with versions for iPhone, Android and BlackBerry (Windows Phone 7 is still some way away, and will really need the cut-and-paste tools that come in the January refresh). When you install LastPass it'll import all your existing passwords, and turn off your old, less-secure, browser-based password management tools.
It's trivially easy to use LastPass. I just log in with my master password every time I turn on my PC, and the browser plugins drop site usernames and passwords in automatically. When I need a new password, I just ask the application to generate one for me automatically, choosing the appropriate strength for the risk associated with a site or service. The new password is automatically stored in the vault, where I can use cut and paste to drop my new password into desktop applications that use web services. If a site's new to LastPass it'll give me the option of saving my current password into the vault or generating a new one. I usually choose to generate a new one, as after all, my old password is likely to be a lot less secure than a random string of upper and lowercase, numbers and punctuation. OF course you're probably wondering just how secure your passwords are, LastPass can analyse what you've got and show you how strong your passwords are, and on how many sites you've fallen into the trap of using the same one again and again.
Password cracking tools are getting better and better, especially thanks to GPGPU processing. A presentation at this year's NVIDIA GPU conference showed that a four node FERMI CUDA array was able to decrypt short randomly generated passwords in a matter of hours - with the presenters recommending that all passwords should be at least 12 characters of completely random characters (including punctuation). It's well nigh impossible to remember that sort of password for all the sites that need log-ins, so it's pretty much time to start using a password management tool.