Gawker hack underscores flaws with passwords

Dec 19, 2010 By JORDAN ROBERTSON , AP Technology Writer

The fallout from a hacking attack on Gawker Media Inc. a week ago underscores a basic security risk of living more of our lives online: Using the same username and password for multiple sites is convenient, but costly.

After the attack on the publisher of such blogs as Gawker, and Jezebel exposed account information on as many as 1.4 million people, several unrelated companies had to freeze their accounts and force users to reset passwords.

Gawker Media itself didn't have all that much sensitive information about its users. But the usernames and passwords obtained there could open doors to more valuable accounts elsewhere, including e-mail and banking.

, Inc. and Yahoo Inc., among others, saw the potential damage and began resetting their passwords en masse, disrupting users as they tried to check their e-mail or post a tweet.

"It shows one of the fundamental problems with passwords - they get reused and shared across multiple sites," said Jeff Burstein, a senior product manager with the Corp. security firm.

Despite repeated warnings from security companies not to do so, users tend to reuse passwords anyway because they can be hard to remember and manage. Users may have dozens, perhaps hundreds, of accounts - for e-mail, , Twitter, e-retailers, banks and the growing number of news websites and blogs requiring registration.

Although account information gets compromised all the time, the infiltration of Gawker's servers is noteworthy because the hacked data were posted online, for free. In most other breaches, the stolen data are never made public, but sold underground to criminals.

Because the databases were freely available, other sites were able to score the data and look for matches with their users.

Twitter acknowledged resetting some passwords for its 175 million users after hackers used the Gawker data to break into Twitter accounts and pump out links to a site selling acai berry drinks.

At least two of the biggest web e-mail providers, Yahoo and Google, also reset some passwords. Neither would say how many of its users were affected. Google described it as a "small subset" of its users.

Job-networking service LinkedIn also changed a small number of its 85 million users' passwords.

Some websites said the breach didn't affect them because they don't rely solely on passwords.

JPMorgan Chase & Co. said it didn't have to change any passwords because the bank has "multiple layers of security."

Banks typically require security questions and other challenges beyond just usernames and passwords to get into their sites, particularly when someone logs on from a specific computer for the first time.

So what can be done to better protect consumers? Security experts say the Gawker breach shows that it's time to move beyond passwords.

But people are used to needing only usernames and passwords to log onto accounts, and piling on more layers of security can be a hassle.

Many sites are trying to do the best with what they've got and what they think their users will accept. They require strong passwords that are tough to break with "brute force" attacks - using computers to keep trying commonly used passwords against an account until one works.

But those requirements have made it harder for people to remember their , and that increases the likelihood that they'll be used across multiple sites.

Security tools that take advantage of smart phones can make it harder for strangers to break into your accounts. You're given a code through your phone to enter on the website with your password. That way, the website knows it's not a hacker, who wouldn't have access to your phone.

Burstein said imposing additional layers of security on users can backfire if the measures are too cumbersome, but added that the push for mobile phone applications has been well received.

Explore further: Most internet anonymity software leaks users' details


Related Stories

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Twitter settles with FTC over data security lapses

Jun 24, 2010

(AP) -- Twitter has agreed to settle charges by federal regulators that it put the privacy of its users at risk by failing to protect them from data security lapses last year that let hackers access their accounts.

Twitter hacked by old technique -- again

Jul 15, 2009

(AP) -- Breaking into someone's e-mail can be child's play for a determined hacker, as Twitter Inc. employees have learned the hard way - again.

Recommended for you

New approach to online compatibility

16 hours ago

Many of the online social networks match users with each other based on common keywords and assumed shared interests based on their activity. A new approach that could help users find new friends and contacts with a greater ...

Most internet anonymity software leaks users' details

Jun 29, 2015

Virtual Private Networks (VPNs) are legal and increasingly popular for individuals wanting to circumvent censorship, avoid mass surveillance or access geographically limited services like Netflix and BBC ...

WikiLeaks says NSA spied on French business

Jun 29, 2015

WikiLeaks has released documents that it says show that the U.S. National Security Agency eavesdropped on France's top finance officials and high-stakes French export bids over a decade in what the group called targeted economic ...

Google gets extended deadline to answer EU case

Jun 29, 2015

Brussels has given Google an extension until mid-August to answer an anti-trust case alleging that the tech giant abuses its search engine's market dominance, a company spokesman said Monday.

Facebook opens first Africa office

Jun 29, 2015

Facebook announced Monday it had opened its first African office in Johannesburg as part of its efforts "to help people and businesses connect" on the continent.

User comments : 5

Adjust slider to filter visible comments by rank

Display comments: newest first

3 / 5 (2) Dec 19, 2010
Hackers aren't the only problem either - for many websites the site administrators can see everyone's password. Do you trust them? One easy solution is to have one base password that you can remember, which you then modify for each website you use based on something like the URL or website title. As long as you do it in a non-obvious way this gives you only one password to remember, and a different password on every site you use.
5 / 5 (2) Dec 19, 2010
Hackers aren't the only problem either - for many websites the site administrators can see everyone's password. Do you trust them? One easy solution is to have one base password that you can remember, which you then modify for each website you use based on something like the URL or website title. As long as you do it in a non-obvious way this gives you only one password to remember, and a different password on every site you use.

Wrong. Most site administrators can only see hash equivalents of passwords.
1 / 5 (1) Dec 19, 2010
I'm guilty of not always using clever enough passwords, but I have almost nothing of any importance on the internet.

Still, that approach you just gave isn't really sufficient any more either. Each new generation of computers is so much faster that the hackers are able to try more and more stuff to get on your account.

Everyone literally needs to come up with their own password generation algorithm so that they don't end up being obvious.

The other problem with multiple passwords is that because you can't remember them all, you end up writing them down or storing them on your computer in a text file, both of which are security issues in themselves. Then you lose the paper, or when your old hard drive breaks or becomes obsolete, you either forgot your passwords, or you threw it away, not thinking about the hacker who finds it...

in star wars, they had "code cylinders" (like USB thumb drives) with million-digit passwords, but R2-D2 was still able to hack it in 30 seconds.
not rated yet Dec 20, 2010
So that means that R2-D2 had a quantum computer built into it. Seems high tech for that Universe.

So then we now know why they don't exist anymore. The people of the Star Wars Universe Transcended and left mere physical flesh behind.

Luminous beings they are.

not rated yet Dec 20, 2010
@Quantum, agreed that computers are getting smarter but you can be smart with the passwords you choose too!

Actually I agree to @Christian's approach in part.
It's better than having the same password everywhere. And this way it's easier to remember as well.


If you realize, both passwords qualify as strong because of the combination of 4 types of elements. Brute forcing this won't be that simple. Nor fast.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.