The Gawker blog network got hacked by some pissed off hackers who released a dump of the emails and encrypted passwords of 1.2M Gawker users. Cracking a password database like this is pretty easy (see Duo Security), I’ve seen 180,000 cracked already. Top 5: 123456, password, 12345678, lifehack, qwerty.

Poor Gawker, they’re screwed, right? No, we’re all screwed. People frequently use the same password on multiple sites. Now Twitter is awash in acai berry spam thanks to shared Gawker passwords. This kind of database theft happens all the time, the only difference with Gawker is the stolen goods were released publically.

You can laugh at the people who use weak passwords, but do you really want to remember a random string like 5Bfw7Gvil4Eg to comment on the latest Valleywag gossip? You can laugh at the people who share passwords at multiple sites, but seriously, who’s got the time to manage 300+ different strong passwords?

How do we end passwords? OpenID for logins to most sites. Two factor authentication to secure important passwords. This stuff works right now: I applaud the StackExchange sites for launching using only OpenID login. And I applaud Twitter for shipping OAuth: folks who posted to Gawker via their Twitter identities weren’t compromised.

Passwords are an inhumane form of account security. They are bad user design. It is time to stop using passwords for most sites.

  2010-12-13 18:32 Z