Gawker hack underscores flaws with passwords

The fallout from a hacking attack on Gawker Media Inc. a week ago underscores a basic security risk of living more of our lives online: Using the same username and password for multiple sites is convenient, but costly.

After the attack on the publisher of such blogs as Gawker, and Jezebel exposed account information on as many as 1.4 million people, several unrelated companies had to freeze their accounts and force users to reset passwords.

Gawker Media itself didn't have all that much sensitive information about its users. But the usernames and passwords obtained there could open doors to more valuable accounts elsewhere, including e-mail and banking.

, Inc. and Yahoo Inc., among others, saw the potential damage and began resetting their passwords en masse, disrupting users as they tried to check their e-mail or post a tweet.

"It shows one of the fundamental problems with passwords - they get reused and shared across multiple sites," said Jeff Burstein, a senior product manager with the Corp. security firm.

Despite repeated warnings from security companies not to do so, users tend to reuse passwords anyway because they can be hard to remember and manage. Users may have dozens, perhaps hundreds, of accounts - for e-mail, , Twitter, e-retailers, banks and the growing number of news websites and blogs requiring registration.

Although account information gets compromised all the time, the infiltration of Gawker's servers is noteworthy because the hacked data were posted online, for free. In most other breaches, the stolen data are never made public, but sold underground to criminals.

Because the databases were freely available, other sites were able to score the data and look for matches with their users.

Twitter acknowledged resetting some passwords for its 175 million users after hackers used the Gawker data to break into Twitter accounts and pump out links to a site selling acai berry drinks.

At least two of the biggest web e-mail providers, Yahoo and Google, also reset some passwords. Neither would say how many of its users were affected. Google described it as a "small subset" of its users.

Job-networking service LinkedIn also changed a small number of its 85 million users' passwords.

Some websites said the breach didn't affect them because they don't rely solely on passwords.

JPMorgan Chase & Co. said it didn't have to change any passwords because the bank has "multiple layers of security."

Banks typically require security questions and other challenges beyond just usernames and passwords to get into their sites, particularly when someone logs on from a specific computer for the first time.

So what can be done to better protect consumers? Security experts say the Gawker breach shows that it's time to move beyond passwords.

But people are used to needing only usernames and passwords to log onto accounts, and piling on more layers of security can be a hassle.

Many sites are trying to do the best with what they've got and what they think their users will accept. They require strong passwords that are tough to break with "brute force" attacks - using computers to keep trying commonly used passwords against an account until one works.

But those requirements have made it harder for people to remember their , and that increases the likelihood that they'll be used across multiple sites.

Security tools that take advantage of smart phones can make it harder for strangers to break into your accounts. You're given a code through your phone to enter on the website with your password. That way, the website knows it's not a hacker, who wouldn't have access to your phone.

Burstein said imposing additional layers of security on users can backfire if the measures are too cumbersome, but added that the push for mobile phone applications has been well received.

Explore further

Spam attack hits Twitter, tied to Gawker breach

©2010 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Citation: Gawker hack underscores flaws with passwords (2010, December 19) retrieved 20 September 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Dec 19, 2010
Hackers aren't the only problem either - for many websites the site administrators can see everyone's password. Do you trust them? One easy solution is to have one base password that you can remember, which you then modify for each website you use based on something like the URL or website title. As long as you do it in a non-obvious way this gives you only one password to remember, and a different password on every site you use.

Dec 19, 2010
I'm guilty of not always using clever enough passwords, but I have almost nothing of any importance on the internet.

Still, that approach you just gave isn't really sufficient any more either. Each new generation of computers is so much faster that the hackers are able to try more and more stuff to get on your account.

Everyone literally needs to come up with their own password generation algorithm so that they don't end up being obvious.

The other problem with multiple passwords is that because you can't remember them all, you end up writing them down or storing them on your computer in a text file, both of which are security issues in themselves. Then you lose the paper, or when your old hard drive breaks or becomes obsolete, you either forgot your passwords, or you threw it away, not thinking about the hacker who finds it...

in star wars, they had "code cylinders" (like USB thumb drives) with million-digit passwords, but R2-D2 was still able to hack it in 30 seconds.

Dec 20, 2010
So that means that R2-D2 had a quantum computer built into it. Seems high tech for that Universe.

So then we now know why they don't exist anymore. The people of the Star Wars Universe Transcended and left mere physical flesh behind.

Luminous beings they are.


Dec 20, 2010
@Quantum, agreed that computers are getting smarter but you can be smart with the passwords you choose too!

Actually I agree to @Christian's approach in part.
It's better than having the same password everywhere. And this way it's easier to remember as well.


If you realize, both passwords qualify as strong because of the combination of 4 types of elements. Brute forcing this won't be that simple. Nor fast.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more