×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Gawker Source Code and Databases Compromised

samzenpus posted more than 3 years ago | from the let's-see-what-we-have dept.

Security 207

An anonymous reader writes "Passwords and personal data for 1.3 million Gawker Media readers — this includes readers of sites like Gizmodo, Lifehacker, Kotaku, and io9 — have been released as a BitTorrent by a group of hackers called Gnosis, who also managed to gain access to both the Gawker CMS and Gizmodo's Twitter account. Gawker confirms and urges readers to change their passwords: 'Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you've used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

207 comments

So much for offloading infrastructure outside. (3, Insightful)

sethstorm (512897) | more than 3 years ago | (#34530812)

Perhaps this should give them a lesson about going overkill on the whole "outsourcing" thing.

Re:So much for offloading infrastructure outside. (2, Insightful)

jhoegl (638955) | more than 3 years ago | (#34531382)

Not 100% sure why this is OT, but okay.

I can tell you for certain that some companies that are Outsourced do not follow the same security standards that we do. Even if they say they do.
Bad part? These companies have access to our finances and/or medical records. Outsourcing tech jobs to India was bad enough, think about outsourcing to communist run countries... where they dont give a shit about privacy.

Second Post (1)

Anonymous Coward | more than 3 years ago | (#34530820)

Pawned!

Goodwill? (4, Insightful)

Cyberllama (113628) | more than 3 years ago | (#34530826)

I appreciate taking this sort of thing with good nature, but that might be a bit generous. Goodwill stopped at the "released a torrent of all the users passwords and personal data". Now my email address is going to get spammed . . . .

Further Lessons (4, Insightful)

alvinrod (889928) | more than 3 years ago | (#34530872)

Not sure why anyone would register with any of the Gawker sites, but why on earth you would ever give your actual email address to half of these websites is beyond me. If they require you to provide an email address to register, use a throwaway address from something like mailinator [mailinator.com] or the other sites like it. Yes, someone could take over the account if the email address is posted, but for almost all of those sites the account serves no purpose outside of being able to post.

I'm not even sure why they require email addresses. Reddit is one of the few sites I've seen get it right. They don't require an email address to register, but warn you that if you don't include one there is no way to recover the password for the account.

Re:Throwaway Email (1)

TaoPhoenix (980487) | more than 3 years ago | (#34530974)

Hmm. I've done okay so far with tiered emails, because lots of sites are hooked on the whole "sign in" thing. As for "not sure why they require email addresses", if you put on your techie hat, content they show to a logged in user gets marked with a different profile than a Noel Coward. Hulu is a lead example of this, hiding some "mature" shows behind the login wall. They also tweak the ad spread with it.

I'm dreading having to use a password manager to manage my 3-off visits all over the web.

Re:Throwaway Email (1)

alvinrod (889928) | more than 3 years ago | (#34531056)

Doesn't really change the fact that you should never provide these people with your real email address. Hulu obtaining your email address in no way proves that you're over 18 and anyone under 18 is most likely sophisticated enough to lie about their age if they want to see a nipple or hear some foul language. So if one needs to sign in because there's some type of wall for unauthenticated users, I don't see how that precludes the use of throwaway email accounts.

I can't see a good reason to give out your email address unless you want to receive emails from the site. Otherwise you're just exposing yourself to needless grief. Honestly, I don't even know why you display your email address on Slashdot. Anyone who becomes sufficiently annoyed with you or merely bored could send massive amounts of spam towards it.

Re:Throwaway Email (0)

Anonymous Coward | more than 3 years ago | (#34531092)

You don't even need to register a throwaway address for Hulu or sites like it. Enter bugmenot [bugmenot.com], savior of the net.

Re:Throwaway Email (1)

Jah-Wren Ryel (80510) | more than 3 years ago | (#34531082)

I'm dreading having to use a password manager to manage my 3-off visits all over the web.

If you use throw-away email addresses that are derived from the site's address then you can use the same password at all sites and all you have to remember is the algorithm that converts the site's address into the throw-away email address.

Re:Throwaway Email (0)

Anonymous Coward | more than 3 years ago | (#34531112)

I usually do smth like username-slashdot@mailinator.com (or one of its mirrors). Easy for someone else to figure out, but I wouldn't care anyway.

Throwaway Passwords (1)

fyngyrz (762201) | more than 3 years ago | (#34531644)

I just use different passwords everywhere, and track 'em in a database here. Most sites let you stay logged in, plus the browser remembers a lot of them, so it's really very little trouble. And the benefit - that a hack on one site doesn't compromise any other... that's worth a lot. Especially if you're doing *any* financial stuff on the net.

As for Gawker, I went and changed my password, but if they're using the same cheezy crypt routine, I dunno how much it's going to help. Any day now, someone might post "as me." Oh, heavens. :)

But yeah, if you're using the same password across the net... you might be about to learn a harsh lesson.

Re:Further Lessons (4, Interesting)

dwarfsoft (461760) | more than 3 years ago | (#34531088)

One benefit of having a domain is having forward all for %.com@domain.com. That way you can see which sites got compromised or which accounts got onsold. They can be easily blocked too.

Still, I do prefer using throwaway email accounts, or not signing up if the content is readily available without registering.

Re:Further Lessons (1)

d6 (1944790) | more than 3 years ago | (#34531186)

>>One benefit of having a domain is having forward all for %.com@domain.com.

That is what I've done for years. The "catchall" mail is close to 100% spam and most of the rest is crap I don't want to read. I filter out anything of interest (IE account signup emails) and delete the inbox periodically.

Possibly the best 8 bucks a year I have ever spent.

Re:Further Lessons (2)

Kjella (173770) | more than 3 years ago | (#34531616)

Yahoo has got a fairly nice feature where you get up to 500 mail aliases. That way you know exactly what site is selling your address and as a bonus you can have it autosort to folders. On top of that, you have the best unsubscription method possible, you simply delete the alias and all their mail will bounce. It probably doesn't hurt to send a "fuck you too" email with the alias saying you know what they did either. I really wish I had discovered it sooner, because my personal address was already a bit spammy but I don't want to change it now. At least this way it's not getting any worse.

Re:Further Lessons (3, Funny)

PopeRatzo (965947) | more than 3 years ago | (#34531412)

Not sure why anyone would register with any of the Gawker sites

Actually, this makes me think this "Gnosis" group might have done us a favor by releasing the names of Gawker readers.

If aliens should attack the Earth looking to harvest DNA, we now have a list of people that won't be missed.

Re:Goodwill? (5, Insightful)

LighterShadeOfBlack (1011407) | more than 3 years ago | (#34530912)

He's not calling what the hackers did 'goodwill', he's saying they shouldn't allow a situation to come about where the goodwill (or lack thereof) is the difference between an e-mail advising of the vulnerability and... well... this. In other words he's taking responsibility for the vulnerability in their systems instead of trying to say that it's all the evil hackers fault for exploiting it. A refreshing change from the usual response to this kind of thing.

Re:Goodwill? (3, Interesting)

the phantom (107624) | more than 3 years ago | (#34530936)

Parse that last sentence again. Gawker had at least one vulnerability that they did not know about. One or more black hats found that vulnerability, and exploited it. In the same situation, white hats would have found the vulnerability and reported it. They were relying on the goodwill of white hats to report errors, rather than being more proactive themselves, and got pwned. This is, they say, embarrassing, and a situation that they should not have been in.

Re:Goodwill? (0)

Anonymous Coward | more than 3 years ago | (#34531132)

Their reaction isn't good natured at all, it's an attempt at giving the impression the hackers didn't wreak havoc on their servers, didn't abuse Gawker accounts on third party servers and didn't post publicly hundreds of thousands of plaintext usernames/passwords/email addresses ("may be vulnerable"?). As Gawker's servers were being trashed, the hackers were eavesdropping on Gawker employees insisting upon how little damage was done, insulting and proclaiming victory over 4chan. To be clear, Gawker is trying to mislead people with that post.

Also check out how good natured Gawker really is: http://britfa.gs/b/src/12921976073.png [britfa.gs] Are you even familiar with their site? Good natured? Hah!

use VERP, at least for curiosity's sake (1)

SuperBanana (662181) | more than 3 years ago | (#34531146)

I use VERP on most of of the forced registration systems. Unless the spammers strip VERP stuff out, I'll know exactly which spammers got my address from Gawker's network. Not that it'll do much good except satisfy some curiosity...

The other side effect is that your account is a little harder to break into, in cases where the login ID is an email address. Obviously not the case here (username works fine too.)

What should be awesome: we'll get to see how many Gawker commentators are astroturfing. That should be extra special fun.

Re:use VERP, at least for curiosity's sake (1)

Anonymous Coward | more than 3 years ago | (#34531278)

What should be awesome: we'll get to see how many Gawker commentators are astroturfing. That should be extra special fun.

Ever since the last round of redesigns, Gawker's comment system has become so impossible to use that I can't imagine anyone's left but astroturfers.

(Seriously, Nick. Most-recent-comment-first, and no way to undo it? Forced pagination via slow-to-render Javashit? I stopped reading your sites that month.)

Re:Goodwill? (1)

cgenman (325138) | more than 3 years ago | (#34531392)

Yes. It's a good thing that no e-mail address has been spammed before this happened. And a tragedy that our perfectly shiny inboxes will be lost forever to these hackers.

Hah! and Google says... (1)

Anonymous Coward | more than 3 years ago | (#34530828)

..the future is the "cloud"?

On what planet?

Whew! (0)

Anonymous Coward | more than 3 years ago | (#34530844)

Go Gnosis, Information should be free and open!

Good thing I don't use those services... (4, Funny)

noidentity (188756) | more than 3 years ago | (#34530870)

...and instead use Facebook to protect my privacy. Wait, why are you laughing?

Information wants to be free!! (0)

Anonymous Coward | more than 3 years ago | (#34530874)

Run, information!!! Run!!

The torrent file... (5, Informative)

Anonymous Coward | more than 3 years ago | (#34530882)

Re:The torrent file... (0)

igreaterthanu (1942456) | more than 3 years ago | (#34530922)

Now what legitimate use is there in linking to that?

Re:The torrent file... (5, Insightful)

Anonymous Coward | more than 3 years ago | (#34530940)

So I can check if my address and password were included so I know whether to go round changing them everywhere...

Re:The torrent file... (0)

Anonymous Coward | more than 3 years ago | (#34531654)

So they would include all username/password except yours?
How thoughtful they are, those hackers.

Re:The torrent file... (1)

grcumb (781340) | more than 3 years ago | (#34530966)

Now what legitimate use is there in linking to that?

Forensics, for one. Without necessarily looking at the individual data, you can still infer a fair amount concerning the scope and nature of the attack by what data was compromised. Likewise, the kind of data being released tells you something about the attackers' motives. And if they were careless, date information and other metadata might also prove useful.

And all of this without necessarily looking at a single password.

Re:The torrent file... (1)

aBaldrich (1692238) | more than 3 years ago | (#34531058)

To study how random people choose their passwords. Bruce Schneier has a very interesting article [wired.com] about that. "How good are the passwords people are choosing to protect their computers and online accounts? It's a hard question to answer because data is scarce. But recently, a colleague sent me some spoils from a MySpace phishing attack: 34,000 actual user names and passwords."

Re:The torrent file... (1)

Anonymous Coward | more than 3 years ago | (#34531126)

OK, but that is hardly a random sampling. People who get caught up by a phishing attack leaves out the most sophisticated users as those users don't fall for the phish. So the best case is, "here is some data on 34,000 users who most likely have worse than average passwords".

Re:The torrent file... (4, Insightful)

alvinrod (889928) | more than 3 years ago | (#34531068)

A lesson in how trivial it is for anyone to get your email address and other information when you provide it to third parties who may become compromised. I hope it gets voted to +5 just so it sinks in for a few people and they aren't so careless with their personal information in the future.

Gawker honestly shouldn't even store the emails. If someone loses a password they can just make a new account. I don't want to sound mean, but if you can't be a good example you might as well serve as a horrible warning.

Re:The torrent file... (1)

Klinky (636952) | more than 3 years ago | (#34531272)

Yes, you have found the perfect solution: Never get your e-mail compromised by never using your e-mail! Also perhaps you don't value your account, but many people do value their account information & history they've built up with a site.

If you don't want to provide your e-mail, no one is putting a gun to your head telling you to share your e-mail. Also your e-mail alone is not a security risk. I hope those passwords were salted though...

Re:The torrent file... (2)

scdeimos (632778) | more than 3 years ago | (#34531524)

Regardless of which site is compromised, two reasons why having your e-mail address harvested is bad news:

  1. Spammers will send more spam directly to you.
  2. Spammers will send more spam to everybody else using your e-mail address - so you get more complaints from internet noobs fed-up with spam and thinking that you were the sender.

Re:The torrent file... (3, Interesting)

Anonymous Coward | more than 3 years ago | (#34531214)

It's a pretty good textboox example of how NOT to secure a website (not to mention a major one). I checked out the README, and it's rather embarrassing. Trivial leetspeak for root passwords, publicly accessible MySQL servers, stuff running Linux 2.6.18 compiled back in 2007 (there have been multiple local root exploits since then), ridiculously insecure passwords for admin accounts, people using the same password everywhere... They also appear to be using ancient DES crypt() for their website user passwords (that means only the first 8 characters of user/commenter passwords on the site matter). Really, it's no surprise that they were broken into through every possible orifice and then some. That's not counting the failure to react when they noticed something was off (which they did) before it was way too late.

Re:The torrent file... (5, Informative)

zonker (1158) | more than 3 years ago | (#34531118)

Someone uploaded the database to Google's Fusiontable's for you to search for your info against:

http://www.google.com/fusiontables/DataSource?dsrcid=350662 [google.com]

Instructions for use:

1. Get the MD5 of your email address (lowercase)
- Online: http://pajhome.org.uk/crypt/md5/ [pajhome.org.uk]
- Shell: $ echo -n mylowercase@email.com|md5sum
2. Search for the hash (via Show Options)
3. Change your password

By the way for Mac users like me that command won't work. Try md5 -r instead of md5sum

Encrypted? Hashed? (0)

Henriok (6762) | more than 3 years ago | (#34530890)

Can someone please tell me why sites and services like this are saving the passwords of their users, instead of saving some hashed version of them? As far as real life goes, encrypted passwords can be decrypted. Hashed passwords cannot be unhashed.

Re:Encrypted? Hashed? (1)

wampus (1932) | more than 3 years ago | (#34530898)

They probably did. It's a press release, and a one-way cryptographic hash is close enough to "encrypted" and a helluva lot shorter and more understandable to a non-pedantic audience.

Re:Encrypted? Hashed? (4, Funny)

causality (777677) | more than 3 years ago | (#34530924)

They probably did. It's a press release, and a one-way cryptographic hash is close enough to "encrypted" and a helluva lot shorter and more understandable to a non-pedantic audience.

At least they didn't say "scrambled".

Re:Encrypted? Hashed? (1)

Anonymous Coward | more than 3 years ago | (#34530978)

"The passwords have been flam-boozled and goofed up so the hackers on steroids can't them..."

Re:Encrypted? Hashed? (1)

Anonymous Coward | more than 3 years ago | (#34531150)

According to the readme included in the torrent, they used DES (probably crypt(3)), and it only took into account the first 8 characters of the password.

Re:Encrypted? Hashed? (1)

phantomcircuit (938963) | more than 3 years ago | (#34531258)

Actually they used DES, so calling it encryption is technically correct. (They encrypt a constant string with the password as the key, which is basically a poor mans hash).

Also apparently like LANMAN hashes they only use the first 8 characters of the password, which is just fucking mind blowingly stupid.

Re:Encrypted? Hashed? (0)

Anonymous Coward | more than 3 years ago | (#34530906)

Isn't a hash just a one way encryption? They might not have gone into detail about how they were encrypted but that doesn't mean that it wasn't hashed.

Now assuming they were hashed and were not salted, weak passwords will be obtainable with a rainbow table.

Re:Encrypted? Hashed? (1, Insightful)

sglider (648795) | more than 3 years ago | (#34530918)

This has all happened before [codinghorror.com], and it will all happen again.

Hashed passwords provide a degree of protection, so long as you salt the hash, and store a different salt for each password (for maximum protection [codinghorror.com]).

Any programmer that doesn't understand salts, hashing, and encrypting should not bother making software that handles logins, period.

Re:Encrypted? Hashed? (1)

tsm_sf (545316) | more than 3 years ago | (#34531050)

Any programmer that doesn't understand salts, hashing, and encrypting should not bother making software that handles logins, period.

Why should they have to? How many times are we going to reinvent this particular wheel anyhow?

Re:Encrypted? Hashed? (1)

Mashiki (184564) | more than 3 years ago | (#34531084)

As many times as it takes, for common sense for basic security to actually win?

Re:Encrypted? Hashed? (1)

Tridus (79566) | more than 3 years ago | (#34531248)

Having people reinvent it constantly is counterproductive to your goal. What we need are a few people who actually know what they're doing to design it, and for everybody else to use that.

Every CMS doing passwords their own way is a great way to ensure most of them are doing it wrong.

Re:Encrypted? Hashed? (1)

thasmudyan (460603) | more than 3 years ago | (#34531172)

Hashed passwords provide a degree of protection, so long as you salt the hash, and store a different salt for each password (for maximum protection [codinghorror.com]).

In cases where the pertinent part of the codebase/config was lifted as well, such as in the current example with the Gawker data, this doesn't help. At some point, the password algorithm has to have access to the salt. An attacker who has both the complete code and the database will also have access to the same salt, no matter how "secure" the individual hashes are computed.

At some point, adding complexity does very little to the actual security of software. There is always information supposedly internal to the system that is needed for decoding or verifying security info. Once that info gets out, it's out, and those logins can be reconstructed never mind how convoluted the hashing function behind them may (or may not) be. The only viable option for Gawker would be to set the entire password column to null and send out notifications with a confirmation code to all registered email addresses, prompting them for a new password.

Re:Encrypted? Hashed? (2, Informative)

Anonymous Coward | more than 3 years ago | (#34531274)

The salt just complicates the rainbowtable lookup method. It's not supposed to be super secret. It makes every password require a expensive brute force lookup rather than a O(1) operation.

Re:Encrypted? Hashed? (1)

thasmudyan (460603) | more than 3 years ago | (#34531330)

The salt just complicates the rainbowtable lookup method. It's not supposed to be super secret. It makes every password require a expensive brute force lookup rather than a O(1) operation.

While that is true, it just delays the inevitable. In fact, even with salt, any large scale leaks such as the Gawker crack will always contain a good number of stupid passwords that are easily brute-forceable even without a rainbow table. It will always be relatively easy to either crack a single account you're really interested in, or alternatively crack a huge number of accounts that are particularly low-hanging fruit, even if every single account was salted differently. Rainbow tables are nice for crackers on a budget of 0, but today everyone can rent dirt-cheap GPU-assisted brute force cracking power.

Re:Encrypted? Hashed? (1)

Anonymous Coward | more than 3 years ago | (#34530926)

My first thoughts exactly. I'm always taken aback when the recover password tool of a website sends me my password rather than resetting it to something new.

Re:Encrypted? Hashed? (1)

kanto (1851816) | more than 3 years ago | (#34531048)

As others have replied a hash can be called a one way encryption; hashed passwords have no 1:1 relationship to inputs, usually a single hash can be the result of infinite different inputs to the hash-function of which many can coincide within the password restrictions. So if the process can be reversed by generating input from a hash you might not get your original password, but a password which will work all the same. That's why adding a random salt to the password is important, just makes it all the more unlikely it could be done (also makes it more unlikely that someone has your hash in a precalculated dictionary).

Why you shouldn't really use md5 [wikipedia.org]

Children suck (0, Funny)

Anonymous Coward | more than 3 years ago | (#34530902)

We considered what action we would take, and decided that the Gawkmedia “empire” needs to be brought down a peg or two.

This is the major problem with the internet - we let children on it.

Really kids? Go play somewhere else and let the adults have peace and quiet. You don't need to piss on everything just to prove you're alive. The smell of your unwashed armpits is already ample demonstration.

Re:Children suck (4, Insightful)

causality (777677) | more than 3 years ago | (#34531004)

We considered what action we would take, and decided that the Gawkmedia “empire” needs to be brought down a peg or two.

This is the major problem with the internet - we let children on it.

Really kids? Go play somewhere else and let the adults have peace and quiet. You don't need to piss on everything just to prove you're alive. The smell of your unwashed armpits is already ample demonstration.

There's no indication that the people who compromised Gawker were minors... but to respond to your larger sentiment...

People who have malicious intentions and do bad things exist. They exist in large numbers. It is simply not possible to identify and stop every last one of them. It's not even feasible to significantly reduce their numbers. Not even the power of law can accomplish that. Indeed, law is a tool for managing this fact of life and has no real power to completely prevent it. There's nothing anyone can do about this reality. It can only be acknowledged, accepted, and worked with. Denial and delusion are your only other options.

There's one thing we can do, however. We can harden the targets. We can secure the systems for which each of us is responsible. We can realize that compromises like this are preventable and then take steps to prevent them. We can learn from the example of those who failed to do so. At the end of the day, we can realize that we're not helpless victims completely at the mercy of random chance or luck, but rather, that there is a great deal we can do to become an extremely difficult target.

Posts like this one [slashdot.org] are written in the spirit of this understanding. It highlights that the owners of those systems acknowledge that they have failed, have accepted responsibility for that, and therefore have the fewest obstacles to learning from this experience and overcoming it. An attitude of blaming everything on "those evil hackers", though they truly have done wrong, would practically guarantee that nothing is learned and no skills are improved.

Re:Children suck (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34531022)

I didn't say minors. I said "children."

I chose that word carefully.

Your points are all very correct, of course. I am just screaming to an apathetic universe.

Re:Children suck (3, Insightful)

causality (777677) | more than 3 years ago | (#34531074)

I didn't say minors. I said "children."

I chose that word carefully.

Your points are all very correct, of course. I am just screaming to an apathetic universe.

Point taken. In fact the biggest single reason why I am concerned about the long-term well-being of the USA is that most of its "adults" are petty, indulgent, overgrown children with short memories. In that spirit I can see why you had good reason to choose that word as you did.

I maintain that the more adult thing to do is to overcome such events by learning their lesson, rather than indulging in the "blame game" and making it into a 5-minute hate. Not only is that the constructive solution, it also limits the damage of this intrusion to computer systems only. The anger and hatred merely serves the intruder(s) by extending the damage into the personal realm of your own well-being.

Re:Children suck (0)

Anonymous Coward | more than 3 years ago | (#34531454)

All of this is really funny given the stance that Gawker/Gizmodo has taken on the Wikileak release of classified diplomatic cables.

Re:Children suck (-1)

Anonymous Coward | more than 3 years ago | (#34531608)

The main problem of the internet - we let old people on it.

Really old people? Why don't you just crawl into a hole and die already, anyone over 30 are stinking up the place with their stench of decay. You should all be put into a hospice already, or, to save this country some money, just used as the decaying manure that you are, to grow food for us healthy, young kids.

In the spirit of WikiLeaks. (1, Interesting)

Anonymous Coward | more than 3 years ago | (#34530938)

Leaks of information are good.

Couldnt happen to more deserving people (1)

Anonymous Coward | more than 3 years ago | (#34530952)

I tried to take part in the discussions on those sites, I really did.

The mods are fucking idiots, and I am in no way suprised that they were too stupid to keep peoples personal data safe.

Mod parent up (0)

Anonymous Coward | more than 3 years ago | (#34531136)

It really needs to be heard. God damn if Gawker aren't the largest group of idiots on the web.

The thing is that they make you "audition" to comment and will ban you at a moment's notice with no reason given. But if you actually read the starred comments and the posts they make, the people that are allowed to talk are a giant collection of idiots.

Easiest way to get banned from a Gawker site is to point out a glaring error in an article. Showing that an editor is an idiot is an instaban.

Making retarded comments and trolling, on the other hand, are encouraged.

I've lost track of my passwords... (1)

netsharc (195805) | more than 3 years ago | (#34530970)

I used to have one password for all. Yeah, great idea huh. Then it became, 1 password for the important stuff, and 1 for the throwaways. Later on it was 1 for the really useless crap that I wouldn't care if they got hacked, 1 for the semi-important stuff, 1 for things I want to have secured, and 2 more levels, the last one being for "e-mails and personal profile use" (i.e. Facebook, oh nooo!).

So now I have 5 passwords (well, plus a few single-site ones for e.g. my bank), but I use them inconsistently. Slashdot, for example, is still on the 2nd weakest password. I read that morons were able to hack Twitter, so I used that 2nd weakest password too. And if I want to change them all, what sites am I registered in, and what level should they be in?

Re:I've lost track of my passwords... (1)

Inquisitus (937664) | more than 3 years ago | (#34531072)

Use a password database like KeePass and have a long, unique, completely unmemorable password for each site you use (except perhaps a few of the more common ones you're likely to access regularly). If you have a smart phone this is even better because you can carry your password database around with you and have it sync automatically with your computer. Remember that having the same password for many sites not only means that if it's bruteforced for one site it's compromised on one site it can be used on others, bu also that if a site itself might be malicious enough to store your log in details and test them on other sites. See xkcd [xkcd.com].

Simple rules make for good passwords (1)

Anonymous Coward | more than 3 years ago | (#34531166)

If you want to make good passwords for sites, follow this simple, handy rule:

1) take the URL of the website, shift each letter right once, add that to the field
2) A sentence or word, make sure it isn't a generic dictionary word or popular quote, add to field. (in caps or small)
3) go back to the start of the field
4) think of a number important to you.
5) press right, enter first digit, right, 2nd, right, 3rd, and so on. If you reach the end of the number before you reach the end of the words, wrap and continue on till the end.
Optional
6) go back to the start again. choose another word of phrase and repeat the 5th rule on this word / phrase

Enjoy your stupidly complex password.
For those up to the task, you could convert the letters of the URL in to numbers (hex, ASCII, general, others) and use THAT as the number component. (or a 2nd number!)
The rule can be extended in any way you like, you don't need to go back and type every 2nd letter, you can do every 4th, or none at all and just append it to the end, you can have 3 sets of words, other numbers, it depends on how secure you want it to be.

orly (1)

rweir (96112) | more than 3 years ago | (#34530976)

and by "encrypted" do they mean "we're idiots and stored something other than a salt + hash of the passwords"?

Re:orly (2)

PhrostyMcByte (589271) | more than 3 years ago | (#34531164)

and by "encrypted" do they mean "we're idiots and stored something other than a salt + hash of the passwords"?

They used crypt() [die.net], which means it's going to be relatively easy to crack everything in the file even if the users' passwords were strong. Why anyone would use crypt() for password hashing is beyond me.

4chan hackers? LOL! (0)

Anonymous Coward | more than 3 years ago | (#34530994)

from the article:

public flaunting of the hacker community that populates 4Chan

4chan people are as much hackers as my pet goldfish. Ignorant script kiddies more like it.

Downloading it right now (1)

Anonymous Coward | more than 3 years ago | (#34530998)

Am I the only one curious about the code in their CMS?

That's not the most insecure part (5, Insightful)

The Moof (859402) | more than 3 years ago | (#34531008)

I find that message from Gawker amusing because they don't even secure their login form with SSL. They're concerned about the database getting stolen with unreadable passwords that might be cracked with enough time, but they turn a blind eye to the fact that authentication information is sent in the clear from the form...

provide fast remedy (1)

hpavc (129350) | more than 3 years ago | (#34531086)

They should provide a fast one stop cgi that their users can do go that will perform these steps, not 'visit our sites and figure shit out'.

Annoying.

Wikileaks tag? (0)

Anonymous Coward | more than 3 years ago | (#34531106)

Why was this tagged with the wikileaks tag? Am I missing something?

Re:Wikileaks tag? (0)

Anonymous Coward | more than 3 years ago | (#34531188)

Maybe they should tag it with the "Whoosh" tag for the morons reading this site.

Reminds me of the LM hash (4, Informative)

yuhong (1378501) | more than 3 years ago | (#34531142)

From http://pastebin.com/9rRmf6W5 [pastebin.com]:
"Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard).
Because DES has a maximum of 8chars using a password like "abcdefgh1234" only the
first 8 characters "abcdefgh" are encrypted and stored in the database. If your
password is longer than 8 characters you only need to enter the first 8 characters
to log in! "
The LM hash generated two hashes using DES from two 7 byte parts of a 14 byte password.
Basically they use each individual 7 byte part as a DES key to encrypt a fixed string.
Repeat this twice for each 7 byte part, and concatenate the results, and you get the LM hash.

Not as Bad as It Seems (2)

R-66Y (150658) | more than 3 years ago | (#34531152)

After looking through the package released through BitTorrent, not everybody's password has been compromised. Gawker does appear to store passwords in an encrypted form and only particularly weak passwords have been cracked. My username, for instance, does appear in their raw DB dump (with an encrypted form of my password) but not in a separate file which lists the passwords they were able to crack. I have a fairly strong password and I believe that's why. Real examples of passwords weak enough to be cracked include "may1404" and "122190". Nothing like, for instance, "STux_s7a" (an old password of mine) appears in unencrypted form, and that isn't even a very strong "strong" password.

Re:Not as Bad as It Seems (0)

Anonymous Coward | more than 3 years ago | (#34531624)

Yeah, at least it wasn't a complete leak with all of the passwords. But they do have the source and whatnot.

I'm surprised that my account isn't even on the list. I'm not sure why.

the true gem here: ID'ing astroturfers (4, Interesting)

SuperBanana (662181) | more than 3 years ago | (#34531184)

The real value here is that we'll get to see who has been astroturfing one of the "most popular" blog networks...and dumb enough to use obvious personal or work email addresses. In fact, it wouldn't surprise me if Gawker copywriters were 'turfing their own stories too, given how much emphasis Gawker places on story viewcounts.

Responsibility (0)

Anonymous Coward | more than 3 years ago | (#34531276)

Why is it that we see and endless stream of these stories, from web break-ins to some moron losing a laptop with unencrypted data to who knows what, and yet there's virtually never any discussion of the company or organization being held responsible for their lousy security practices?

For example, recently the IT system of a supermarket chain in my city was compromised, which caused the name, SSN, bank account and credit card information, etc. for thousands of people to be stolen. This set off a mad rush of people trying to protect their money before the thieves could take the next step and raid their linked accounts. Yet not one report about it even suggested that the supermarket chain that was very easily cracked (reading between the lines of the news reports) was responsible or should pay the customers for the hassle.

It must be nice to be that sloppy in your business practices and not have to worry about it.

EasyDNS (3, Insightful)

Tridus (79566) | more than 3 years ago | (#34531322)

It's nice to see a bit of karmic justice after Gawker falsely accused EasyDNS of cutting off Wikileaks (it was EveryDNS), then acted like jackasses when called on it.

http://blogs.villagevoice.com/runninscared/2010/12/gawker_refuses.php [villagevoice.com]

Re:EasyDNS (4, Informative)

cyclocommuter (762131) | more than 3 years ago | (#34531386)

Not only that, Gawker seems to have an ongoing battle with Wikileaks, Assange, and anon via posts like this [gawker.com] and this [gawker.com]. They also appear to be taunting anon to hit them if they can... looks like they got what they wished for although as the saying goes, any publicity is good publicity... especially for the Gawker media empire.

Re:EasyDNS (1)

Infernal Device (865066) | more than 3 years ago | (#34531486)

Really? So, the 1.5 million victims in all of this can go to hell along with Gawker?

I guess the words "measured response" don't really mean anything to you ...

Re:EasyDNS (1)

Grapplebeam (1892878) | more than 3 years ago | (#34531630)

Right, but none of us were really surprised. I mean, really. Gizmodo and Kotaku? The bar wasn't set high on any of these jerks.

table (0)

Anonymous Coward | more than 3 years ago | (#34531324)

hdmoore: Gawker hacked, 1.3m passwords stolen, 540k w/email addresses, check this table for yours: http://bit.ly/gYMsr5

Re:table (1)

sakura the mc (795726) | more than 3 years ago | (#34531510)

is there anyone else that didnt find their email address(s)/domain(s) on that table?

i searched my inbox for any emails from anything gawker and found none.

i logged into kotaku where i havent commented since forever, and surprisingly, my email address is not in my profile.
did i sign up at a time when they werent asking for email addresses?

even though i wont be logging into that site ever again, i changed the password to something i will never remember, and no one will likely crack in my lifetime, just to be safe.

Or this could be (0)

Anonymous Coward | more than 3 years ago | (#34531420)

Simply monied international interests hacking popular technology sites to more directly reinforce the concept of "moral data integrity" as a psyops against future wikileaks style activity. who the hell knows, it's only information.

uh (1)

Ex Machina (10710) | more than 3 years ago | (#34531432)

Anyone have any experience changing all their low priority passwords at once? Thoughts?

Re:uh (3)

Scorpinox (479613) | more than 3 years ago | (#34531504)

I took this as a sign to change all my passwords. It's been a pain in the ass honestly, and provided a nice overview of who is is good at letting you change passwords and who sucks. ICQ so far is by far the worst, you can't change it through their website, so you have to download their client, plus they don't allow special characters. Ebay's was really hard to find where to change it as well.

I just went through my bookmarks, starting with the imporant stuff and working my way down. Unfortunately, there are surely some sites i've forgotten. I'll have to change them as they come up, but are mostly throwaway accounts anyway.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...