Gawker Media usernames and encrypted passwords published
If you've registered an account on any Gawker Media web site (that includes Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, io9, or Fleshbot), and you didn't log in using Facebook Connect, then it's best to assume that your username and password were included among the leaked data.
As usual, people are being advised to change passwords that they use for those sites and to change those same passwords elsewhere if used for other things. Indeed, a number of high profile individuals used the same passwords on Twitter and for Gmail as they used with Gawker, and so those have been compromised and abused.
1Password users, of course, should be using strong unique
passwords for different logins. This way the compromise of one site doesn't threaten us in other places.
Beyond this all too frequent event reminding us of the importance to use good password management and not to reuse passwords ( http://blog.agile.ws/post/1118738545/passsword-humor
), there are other lessons for those who are responsible for storing users' secrets in the cloud. What follows is based substantially on http://securecloudreview.com/2010/12/cloud-busting-gawkers-breach-and-impact-in-the-cloud/
The password data that were captured and published are encrypted, but according to various claims (I haven't verified this myself) the encryption was weak on two grounds, making it possible that many of these passwords will be cracked by automated password guessing systems.
One weakness is in choice of algorithm and how it is implemented (DES on the first eight characters only). The other thing is more typical on on-line and system password storage. There was no use of PBKDF2
, which has the effect of making the process of going from (guessed) password to encrypted password deliberately slow.
These two fairly typical design choices suggest that they never anticipated the encrypted password data to be captured. It means that once the encrypted password data fall into the wrong hands, an individual's password may be discovered in a matter of hours or days.
So what about 1Password and cloud storage? The good news is that from the very beginning we designed the 1Password data format to withstand the most sophisticated attacks imaginable if it were to fall into the wrong hands. You can read more about that in