Network News

X My Profile
View More Activity
Posted at 12:08 PM ET, 12/15/2010

Gawker breach fallout: LinkedIn, Amazon reset some users' passwords

By Rob Pegoraro

Users and companies are trying to sweep up the mess caused by this weekend's breach of roughly 1.3 million reader accounts at Gawker Media. And a few of them are showing some surprising, welcome resourcefulness.

linkedin_logo.jpg

LinkedIn, for example, scanned through the archive of usernames, e-mail addresses and passwords posted by the Gawker hackers. When the business-networking site spotted its own users in that list, it reset their passwords and notified them via e-mail.

Amazon has done the same thing. A blog post by Dutch teenager Daan Berg recounts a similar password-reset e-mail from Amazon and compliments the company for its initiative. Washington-based Associated Press video producer Matt Friedman wrote on Twitter that he'd received the same notice and forwarded a copy to me.

Unlike LinkedIn, however, Amazon has yet to post a notice confirming that it's taken this step. It should: Phishing e-mails will probably adopt this theme as a lure, and the good guys can easily set themselves apart from the bad by saying in public, "Yes, we're sending those messages."

(1:43 p.m. Amazon spokeswoman Mary Osako wrote that the company did send those e-mails to "some customers" but did not give a number.)

As for my own compromised password -- as you may recall, I couldn't remember the password I'd used -- I got a big help from a reader. He had seen my post, had been in a similar situation and did me the favor of looking up my name -- turns out I'm the only Pegoraro with an account at a Gawker site. He then provided a highly technical workaround through which I could try encrypting different passwords to see which one matched the scrambled entry in the Gawker records.

I was relieved to see that I hadn't chosen any of the top 50 Gawker passwords. The most embarrassing? Some 3,000 people had picked "123456."

I had, however, used this only slightly more complicated password at many other sites. The first one that came to mind was Pandora. Fortunately, I was able to change my password at the Web-radio service before anybody could add a Creed or Celine Dion station to my account.

Beyond tracking down which other accounts share that password, I have to come up with new passwords for those sites. They don't have to be high-security logins that will resist extended, brute-force computing attacks. For help with that, see Bruce Schneier's post from January 2007. But they do need to be distinct and yet somewhat easy to recall.

The latter requirement is trickier. It can be frighteningly easy to memorize passwords that are total gibberish -- in my own worst example, 26-character WEP wireless-network passwords -- if you have to type them in often enough. But most sites don't offer that much practice. Either they save your login with a cookie, or your browser auto-completes it for you, and it's easy for the password to fade from memory.

What's your recipe in this situation? Earlier comments on this have shown some creativity. How do you go about this exercise in compressed-prose composition?

By Rob Pegoraro  | December 15, 2010; 12:08 PM ET
Categories:  Digital culture, Security  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Christmas gift ideas for all kinds of gamers
Next: Backup for a minute: What should Marc Fisher's son have done?

Comments

I use a password locker. I have to remember only the locker's password. Locker is mobile; comes with both Windows and iPod versions that sync. In Windows, I just copy any passwords I haven't memorized and paste them into the form. I'm sure there are Mac equivalents. Locker also generates passwords from user-input criteria. I have several dozen discrete passwords; this is the only reasonably secure solution.

Posted by: TwoTooth | December 15, 2010 12:26 PM | Report abuse

Dark Helmet
"123456"! That's the combination for /my/ luggage!
/Dark Helmet

Off topic note:
Looks like Marc's kid has learned the value of regular backups, and logging off of an important site when not using it. Like most of us, he learned the hard way.

Another one:
Your new assistant is a blogging maniac. ;-)

Passwords:
A file on my home computer called "passwords", with a strong password on the computer.

Posted by: wiredog | December 15, 2010 12:43 PM | Report abuse

Years ago I learned a variation of something Bruce Schneier mentioned in his article, but easier to remember - I use the first letters of the words in the first phrase of one or two favorite songs I know and substitute a special character for punctuation

Posted by: boba4 | December 15, 2010 12:44 PM | Report abuse

What's funny is that I just came over to WashingtonPost.com to change my password. My account on Gawker was among the compromized accounts and the hackers used it to get into my Facebook page and post some spam under my name. Facebook locked teh account, but has a pretty nifty way for you to prove you are who you say you are.

At the moment I'm using a pretty simple, temporary password for these accounts. I think I'm going to have to come up with something a little stronger, though.

What's key, key, key is to use a different username and password for accounts that could compromise your finances. My banking account and password and my e-mail password are my two strongest, and I limit them to just those accounts. For e-commerce sites I have a strong username and password. For blogs and such I have a fourth, less fancy login and password.

Posted by: DavidFlores | December 15, 2010 1:26 PM | Report abuse

@wiredog
That was said by President Screw. Dark Helmet said "Who would be so stupid to use that as their combination?"

Posted by: koalatek | December 15, 2010 2:27 PM | Report abuse

This incident has actually caused me to follow the advice of a Gawker site and install a Firefox plugin that manages passwords: Lastpass

Learn more at http://lastpass.com/

Posted by: ResidentE | December 15, 2010 3:40 PM | Report abuse

I have recently thrown in the techno-towel and made a list ON PAPER of my passwords. I figure I am in much less danger of having my desktop computer and desk clutter burgled in the real world than I am of having a computer file of passwords stolen in cyberspace. (There are times when clay tablets start looking good...)

Posted by: danielleshelley | December 16, 2010 1:06 AM | Report abuse

If you want to use a simple password like, "12345" but also want to have different passwords for each website that is easy to remember, you can use a pattern do something like:

gawk12345 for gawker,
face12345 for facebook,
post12345 for the Washington Post,
twit12345 for Twitter,
and link12345 for linkedin.

Posted by: mikebecvar | December 16, 2010 7:44 AM | Report abuse

Firefox has a password manager that keeps the logins/passwords you have told it to remember and is very useful when you forget due to "it's been a while since I needed to type it in" situation.

When making up a pw I tend to use a word related to the site (though not the name) with the first letter in caps, and append a year of significance to me. For example for Go Daddy I might use "Host1968." I use GD to host my sites, and I graduated from HS in 1968.

This combination always gets a "strong" rating from the sites that provide some sort of feedback about the strength of the pw you are entering when creating the account.

Posted by: tojo45 | December 16, 2010 8:07 AM | Report abuse

Take a U.S. town you like and use the first five characters of its name. Insert the ZIP code in front. Another trick is to think of a word or name you can easily recall, then look at the telephone keypad and translate the letters into numerals.

Posted by: MrM1 | December 16, 2010 8:20 AM | Report abuse

I use Password Safe and then back up the file of the passwords to a thumb drive as well as to the external drive.

Posted by: WashingtonDame | December 16, 2010 9:24 AM | Report abuse

For we non geeks, or non nerds, I get the distinct impression, the wide open Un regulated internet, is just that, wide open and not secure. Oh well the ride was fun. Now what?

Posted by: dangreen3 | December 16, 2010 10:17 AM | Report abuse

I'm surprised that I'm the first to mention Roboform, which saves and enters passwords and also generates them when you need a new one.

Posted by: rw-c | December 16, 2010 10:34 AM | Report abuse

http://keepass.info/

Free.
Open Source.
Mobile.
1 PW to remember.

Posted by: Rocc00 | December 16, 2010 12:57 PM | Report abuse

Posted by: Rocc00 | December 16, 2010 1:05 PM | Report abuse

As a Norton Internet Security customer I could rely on their locker for my passwords,but if you let that subscription lapse or change to one of their competitors, you no longer have that option. And if you've been relying on cookies and lockers to remember your passwords, you'll be at a loss if they go away.

What if you used some variation on something like, say, a Drivers License number. ALl you have to do is remember 7 or 8 characters, then add a special character and a lower case letter (I use those as bookends), and voila! A password you'll always remember, which will resist even the most persistent of attacks.

And if you cycle through the special characters on your keyboard, you can even change the passwords regularly without forgetting them.

Posted by: pxkatz | December 16, 2010 2:53 PM | Report abuse

It seems that major breaches like this are becoming quite common. What does that say about the security thinking among people operating the compromised system, and about the security thinking among end users?

If you operate a major web site, a big security compromise like this can kill your business. Not investing enough time, money and infrastructure in security means putting your organization at risk of major harm, because of bad press, lost end users, lost advertisers, etc. This is a big deal.

If you are a user whose password has been compromised, I guess it depends on how many other systems you sign into with the same ID/password and whether you care about compromise of any/every account that uses the same credentials. At a minimum, once you learn about a compromise like this, you should change your "standard, used for systems I don't care
much about" password everywhere.

In either case, you can learn about effective password management practices: for organizations (http://bit.ly/dPhpkx) and for end users (http://bit.ly/fewec9)

- Idan Shoham, CTO, Hitachi ID Systems

Posted by: Idan_Shoham | December 16, 2010 3:52 PM | Report abuse

I've had password lockers. you lose it all when the hard drive goes away. back to paper for me ;) -- since I have over 200 passwords I need at work, and enough variations at home. good news is, you get older, the stuff you've used in your youth falls many miles below the radar, you can use obsolete items from obsolete technologies in obsolete corners of obsolete industries. but a sniffer trojan or brute-force cracking will still get any password. ANY password.

Posted by: swschrad | December 16, 2010 6:51 PM | Report abuse


Hello,

Send Christmas Gifts. Buy more to send. On this site==== == http://www.1shopping.us/ ,

good place for shopping, fashion, sexy, personality, maturity, from here to begin. Are you ready?

===== http://www.1shopping.us/ ====

Air jordan(1-24)shoes $33

Handbags(Coach l v f e n d i d&g) $35

Tshirts (Polo ,ed hardy,lacoste) $15

Jean(True Religion,ed hardy,coogi) $30

Sunglasses(Oakey,coach,gucci,A r m a i n i) $15

New era cap $12

accept paypal and free shipping

====== http://www.1shopping.us/ ====

Posted by: shoestrade1930 | December 16, 2010 8:08 PM | Report abuse

I have all my passwords in a simple text file that is stored in an encrypted TrueCrypt file. That file is backed up weekly.

Posted by: taonima2000 | December 16, 2010 9:20 PM | Report abuse

Post a Comment

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.




characters remaining

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company