Gawker Password Theft a Wake-Up Call

Analysis: Underestimating your own vulnerability is a recipe for disaster.

Well, my holiday plans saw a new item move to the top of the to-do List. I found myself with the pleasant task of sweeping through my password collection, because I was lazy and Gawker Media was sloppy. It's a lesson for anyone whose livelihood depends on secure systems remaining that way.

The big story was that over the weekend of Dec. 11-12, Gawker admitted in a post on its various sites- which include Deadspin, Fleshbot, Gizmodo, io9, Jalopnik, Jezebel, Kotaku and Lifehacker, as well as Gawker itself-that its central password database had been compromised. It seems that the Gawker IT organization had used the long-obsolete DES to encrypt the password store, had ignored at least a month's worth of warnings that something fishy was going on, and had let its production servers get about three years behind on kernel patches. In short, the company's IT crew had utterly failed at its job.

This would amount to dereliction of duty in any IT organization with pretenses to credibility. But since the editors of the main Gawker site have in effect dared anti-organizations such as Anonymous and 4chan to come after it, one has to compare the behavior of Gawker Media's editorial and IT staff to the kind of idiot who climbs into the lion pen at the zoo and is surprised by the extent of the resulting injuries. As of the afternoon of Dec. 13, the company seemed to be placing as much of the responsibility on those users who chose weak passwords-which included Gawker founder Nick Denton's "24682468," or "password," used by almost 2,000 accounts-as it did on its IT staff, who created the conditions that were so easily exploited.

Of course, I failed as well. As do many people, I have a few medium-strength passwords that I use on more than one site. "Easy to remember, hard to guess" describes these, and they'll hold up against a dictionary attack, although I reckon that anyone who really wanted to crack them would do so, probably sooner rather than later. Although I should know better, I made the mistake of changing my Gawker password to one of my garden-variety passwords during one of the site's occasional authentication hiccups earlier this year. I'd meant to get around to resetting it to something fairly obscure, but didn't.

Now, I'm paying for my laziness by going through three or four devices, trying to figure out where I might have used the ID and password combination that was in the Gawker database. A group calling itself Gnosis is claiming responsibility for the theft of the Gawker Media password database, and reports indicated that by midday of Dec. 12, almost 200,000 user IDs and passwords had been cracked and posted in a torrent for the entire world to see.

The only thing I can claim to have done right is to use more than one ID for my personal business, and to keep my business e-mail traffic separate from my personal e-mail. Although I'm going to be extra careful about my identities and passwords for a long while, I don't feel like much of a chump. After all, I'm not the Gawker employee who encrypted the passwords using an insecure method, I'm not the Gawker IT manager who blew off three years' worth of kernel patches, and I'm not the Gawker leaders who dared the Internet to hack away. Those are the people who look like chumps.