| ||
Thu 2024-04-25
Wed 2024-04-24
Tue 2024-04-23
Fri 2024-04-19
Thu 2024-04-18
Mon 2024-04-15
Butterick’s Practical Typography Sat 2024-04-13
Fri 2024-04-12
Wed 2024-04-10
Search
Archives
2023
12 11 10 09 08 07 06 05 04 03 02 01
2022
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
One good site
MDN
Nelson Minar
Blog licensed under a Creative Commons License
|
The Gawker blog network got
hacked by some pissed off
hackers who released a dump of the emails and encrypted passwords of
1.2M Gawker users. Cracking a
password database like this is pretty easy (see
Duo Security), I’ve seen 180,000 cracked already. Top 5: 123456, password,
12345678, lifehack, qwerty.
Poor Gawker, they’re screwed, right? No, we’re all screwed. People frequently use the same password on multiple sites. Now Twitter is awash in acai berry spam thanks to shared Gawker passwords. This kind of database theft happens all the time, the only difference with Gawker is the stolen goods were released publically. You can laugh at the people who use weak passwords, but do you really want to remember a random string like 5Bfw7Gvil4Eg to comment on the latest Valleywag gossip? You can laugh at the people who share passwords at multiple sites, but seriously, who’s got the time to manage 300+ different strong passwords? How do we end passwords? OpenID for logins to most sites. Two factor authentication to secure important passwords. This stuff works right now: I applaud the StackExchange sites for launching using only OpenID login. And I applaud Twitter for shipping OAuth: folks who posted to Gawker via their Twitter identities weren’t compromised. Passwords are an inhumane form of account security. They are bad user design. It is time to stop using passwords for most sites. |
|
