If you’ve used the Gawker media service in the last year or so, you’re probably aware of the massive account information leak that occurred in late 2010. In this security breach, the user database, containing 1.3 million users, was leaked. This breach shows that even huge sites with millions of users aren’t safe from simple hacking techniques. Furthermore, these sites don’t always use simple techniques like password salting, proper hash algorithms, and good Internet security practices to protect themselves and their users. However, Gawker’s experience provides a lesson to users regarding Internet password security measures.
The user account database dump contained information for 1.3 million users, just over 8,000 of which had crackable passwords. Results of the password crack showed that about four per cent of users were using one of the passwords: 123456, password, 12345678, lifehack, or qwerty. Also high on the list of common passwords were number sequences, words, and names. This shouldn’t come as a surprise. Strong passwords are characterized primarily by their uniqueness, so you won’t find a lot of other users using this password. However, this leak demonstrates that many Gawker users are vulnerable due to their use of weak passwords; or, perhaps, that Gawker users are actually so secure they’re using simple passwords like 123456.
Consider a security-savvy Internet user. She has two or three very strong passwords. Because of the uniqueness and length of these passwords, she can only remember three. She reuses the same three passwords for all of her online accounts, from email to Facebook to online banking. Now, in a password leak, one of her passwords is made publicly available. Additionally, her e-mail address is associated with the leaked account. Unfortunately, she uses the same password for her e-mail as for the leaked account. Now her e-mail is exposed to anyone who wants to take a look. Furthermore, in her e-mail are her bank statements, which contain enough information to determine her account numbers. In another unfortunate mishap, she is using the same password for her online bank account as email.
Now, despite taking proper security measures, the user has become an easy target for identity theft as a result of the account leak.
In contrast to this, some Internet users divide their online accounts into two tiers: high priority and low priority. For high priority accounts, like e-mail, online banking, and myMcGill, the user uses one of a few strong passwords. However, for low priority accounts, like Gawker, Twitter, and other things of that nature, the user opts for a dummy password. Now, in the same leak, this user has had his news-site account compromised, but because he is using a different, stronger password for his e-mail, his important accounts are still safe. By using dummy passwords for accounts which she doesn’t care about, the user has made her online life more secure.
Simple passwording can be taken to the next level by creating a different e-mail address linked to low priority accounts, so security breaches relating to these accounts don’t reveal any important user information. This also has the desirable side effect of quarantining spam mail to another e-mail account.
While it is not likely that the tens of thousands of Gawker users with weak passwords are employing this tiered approach to online account management, there’s actually a valid reason to use seemingly foolish passwords. For sensitive accounts, secure passwords should be always used. A password’s security is a function of length, mix of capital and lowercase letters, numbers, and symbols. However, in some cases, abc123 might actually be the most secure password of all.