Gawker hack underscores flaws with passwords

Dec 19, 2010 By JORDAN ROBERTSON , AP Technology Writer

The fallout from a hacking attack on Gawker Media Inc. a week ago underscores a basic security risk of living more of our lives online: Using the same username and password for multiple sites is convenient, but costly.

After the attack on the publisher of such blogs as Gawker, and Jezebel exposed account information on as many as 1.4 million people, several unrelated companies had to freeze their accounts and force users to reset passwords.

Gawker Media itself didn't have all that much sensitive information about its users. But the usernames and passwords obtained there could open doors to more valuable accounts elsewhere, including e-mail and banking.

, Inc. and Yahoo Inc., among others, saw the potential damage and began resetting their passwords en masse, disrupting users as they tried to check their e-mail or post a tweet.

"It shows one of the fundamental problems with passwords - they get reused and shared across multiple sites," said Jeff Burstein, a senior product manager with the Corp. security firm.

Despite repeated warnings from security companies not to do so, users tend to reuse passwords anyway because they can be hard to remember and manage. Users may have dozens, perhaps hundreds, of accounts - for e-mail, , Twitter, e-retailers, banks and the growing number of news websites and blogs requiring registration.

Although account information gets compromised all the time, the infiltration of Gawker's servers is noteworthy because the hacked data were posted online, for free. In most other breaches, the stolen data are never made public, but sold underground to criminals.

Because the databases were freely available, other sites were able to score the data and look for matches with their users.

Twitter acknowledged resetting some passwords for its 175 million users after hackers used the Gawker data to break into Twitter accounts and pump out links to a site selling acai berry drinks.

At least two of the biggest web e-mail providers, Yahoo and Google, also reset some passwords. Neither would say how many of its users were affected. Google described it as a "small subset" of its users.

Job-networking service LinkedIn also changed a small number of its 85 million users' passwords.

Some websites said the breach didn't affect them because they don't rely solely on passwords.

JPMorgan Chase & Co. said it didn't have to change any passwords because the bank has "multiple layers of security."

Banks typically require security questions and other challenges beyond just usernames and passwords to get into their sites, particularly when someone logs on from a specific computer for the first time.

So what can be done to better protect consumers? Security experts say the Gawker breach shows that it's time to move beyond passwords.

But people are used to needing only usernames and passwords to log onto accounts, and piling on more layers of security can be a hassle.

Many sites are trying to do the best with what they've got and what they think their users will accept. They require strong passwords that are tough to break with "brute force" attacks - using computers to keep trying commonly used passwords against an account until one works.

But those requirements have made it harder for people to remember their , and that increases the likelihood that they'll be used across multiple sites.

Security tools that take advantage of smart phones can make it harder for strangers to break into your accounts. You're given a code through your phone to enter on the website with your password. That way, the website knows it's not a hacker, who wouldn't have access to your phone.

Burstein said imposing additional layers of security on users can backfire if the measures are too cumbersome, but added that the push for mobile phone applications has been well received.

Explore further: Erdogan passes law tightening Turkey's grip on Internet

4 /5 (4 votes)
add to favorites email to friend print save as pdf

Related Stories

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Twitter settles with FTC over data security lapses

Jun 24, 2010

(AP) -- Twitter has agreed to settle charges by federal regulators that it put the privacy of its users at risk by failing to protect them from data security lapses last year that let hackers access their accounts.

Twitter hacked by old technique -- again

Jul 15, 2009

(AP) -- Breaking into someone's e-mail can be child's play for a determined hacker, as Twitter Inc. employees have learned the hard way - again.

Recommended for you

US threatened Yahoo with huge fine over surveillance

Sep 11, 2014

US authorities threatened to fine Yahoo $250,000 a day if it failed to comply with a secret surveillance program requiring it to hand over user data in the name of national security, court documents showed ...

User comments : 5

Adjust slider to filter visible comments by rank

Display comments: newest first

christian_physicist
3 / 5 (2) Dec 19, 2010
Hackers aren't the only problem either - for many websites the site administrators can see everyone's password. Do you trust them? One easy solution is to have one base password that you can remember, which you then modify for each website you use based on something like the URL or website title. As long as you do it in a non-obvious way this gives you only one password to remember, and a different password on every site you use.
h0dges
5 / 5 (2) Dec 19, 2010
Hackers aren't the only problem either - for many websites the site administrators can see everyone's password. Do you trust them? One easy solution is to have one base password that you can remember, which you then modify for each website you use based on something like the URL or website title. As long as you do it in a non-obvious way this gives you only one password to remember, and a different password on every site you use.

Wrong. Most site administrators can only see hash equivalents of passwords.
Quantum_Conundrum
1 / 5 (1) Dec 19, 2010
I'm guilty of not always using clever enough passwords, but I have almost nothing of any importance on the internet.

Still, that approach you just gave isn't really sufficient any more either. Each new generation of computers is so much faster that the hackers are able to try more and more stuff to get on your account.

Everyone literally needs to come up with their own password generation algorithm so that they don't end up being obvious.

The other problem with multiple passwords is that because you can't remember them all, you end up writing them down or storing them on your computer in a text file, both of which are security issues in themselves. Then you lose the paper, or when your old hard drive breaks or becomes obsolete, you either forgot your passwords, or you threw it away, not thinking about the hacker who finds it...

in star wars, they had "code cylinders" (like USB thumb drives) with million-digit passwords, but R2-D2 was still able to hack it in 30 seconds.
Ethelred
not rated yet Dec 20, 2010
So that means that R2-D2 had a quantum computer built into it. Seems high tech for that Universe.

So then we now know why they don't exist anymore. The people of the Star Wars Universe Transcended and left mere physical flesh behind.

Luminous beings they are.

Ethelred
abhishekbt
not rated yet Dec 20, 2010
@Quantum, agreed that computers are getting smarter but you can be smart with the passwords you choose too!

Actually I agree to @Christian's approach in part.
It's better than having the same password everywhere. And this way it's easier to remember as well.

Physorg@007
YahooMail@007

If you realize, both passwords qualify as strong because of the combination of 4 types of elements. Brute forcing this won't be that simple. Nor fast.