Yet another million passwords stolen

jpgoldbergjpgoldberg Agile Customer Care

Team Member
Gawker Media usernames and encrypted passwords published
From http://lifehacker.com/5712785/

If you've registered an account on any Gawker Media web site (that includes Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, io9, or Fleshbot), and you didn't log in using Facebook Connect, then it's best to assume that your username and password were included among the leaked data.


As usual, people are being advised to change passwords that they use for those sites and to change those same passwords elsewhere if used for other things. Indeed, a number of high profile individuals used the same passwords on Twitter and for Gmail as they used with Gawker, and so those have been compromised and abused.

1Password users, of course, should be using strong unique passwords for different logins. This way the compromise of one site doesn't threaten us in other places.

Beyond this all too frequent event reminding us of the importance to use good password management and not to reuse passwords ( http://blog.agile.ws/post/1118738545/passsword-humor ), there are other lessons for those who are responsible for storing users' secrets in the cloud. What follows is based substantially on http://securecloudreview.com/2010/12/cloud-busting-gawkers-breach-and-impact-in-the-cloud/

The password data that were captured and published are encrypted, but according to various claims (I haven't verified this myself) the encryption was weak on two grounds, making it possible that many of these passwords will be cracked by automated password guessing systems.

One weakness is in choice of algorithm and how it is implemented (DES on the first eight characters only). The other thing is more typical on on-line and system password storage. There was no use of PBKDF2, which has the effect of making the process of going from (guessed) password to encrypted password deliberately slow.

These two fairly typical design choices suggest that they never anticipated the encrypted password data to be captured. It means that once the encrypted password data fall into the wrong hands, an individual's password may be discovered in a matter of hours or days.

So what about 1Password and cloud storage? The good news is that from the very beginning we designed the 1Password data format to withstand the most sophisticated attacks imaginable if it were to fall into the wrong hands. You can read more about that in

http://help.agile.ws/1Password3/cloud_storage_security.html

Comments

  • brentybrenty

    Team Member
    I loved the Cloud Security writeup!

    The scary thing is, I have to admit that there are probably a bunch of sites out there that I registered for using the same simple passwords I used to use everywhere... Before I used 1Password to store and strengthen my logins, I used a lot of sites once and never returned. I couldn't even tell you what they were. Fortunately, I have since generated strong passwords for all the important sites that I use regularly. But thinking of all the ones I've long since forgotten that have the same login credentials and that could be compromised at any time still makes me cringe. :unsure:

    Agile needs to come up with a solution to retroactively find all of my orphaned accounts so I can log in and make them more secure! Just kidding. :rolleyes:

    I guess my only consolation is that a lot of sites purge inactive accounts after a set interval. But who knows if that data is still out there somewhere. Just something to think about, I guess... :mellow:
  • khadkhad Social Choreographer

    Team Member
    Agile needs to come up with a solution to retroactively find all of my orphaned accounts so I can log in and make them more secure! Just kidding. :rolleyes:

    I have thought about this as well.

    On a positive note, if you can't remember the sites, others may have a hard time finding them as well. If they gain access to a lesser known site and get your old password, they will at least not have access to your frequently used sites (like Gmail, Twitter, Facebook, etc.) because those are protected by strong, unique generated passwords now.

    Certainly not a "solution" but it does give me consolation for lack of an actual one. :-)
  • romadromad Member
    I was at a financial application's forum where a poster was advocating storing all financial data on Dropbox. The poster announced that he stores all his 1Password data there. Scary.
  • khadkhad Social Choreographer

    Team Member
    Romad,

    From the aforelinked "Security of storing 1Password data in the Cloud" document:

    Your secrets in your 1Password data are safe wherever they are stored. Although we don’t recommend making your 1Password database publicly available to the world, we have designed it so that your username and password data (along with other secret data stored within it) is protected no matter whose hands they fall into. For this and other reasons we are very confident when we recommend cloud syncing of 1Password data with Dropbox.


    You can get more information by reading the entire document. Please let me know if you have specific questions or concerns about using Dropbox to store or sync your 1Password data.
This discussion has been closed.