The whole fiasco with Gawker’s (largest blogging network I know of) passwords being leaked just reminds me of this XKCD comic. Pretty much in the comic he was going to make a fake service, like an image sharing site or something, and then get people to sign up. One of the biggest security wholes is a problem in most humans, memory. We like to reuse passwords across multiple sites, which allows this type of attack to occur. The people who hacked gawker’s passwords were smart enough to start brute forcing these username/password combinations on other sites like twitter. They could then use the account to spam followers. Image what kind of financial accounts they recovered!
Today I saw this list of top Gawker passwords released. While these passwords don’t surprise me, they are pretty amusing. One thing that I noticed is that the author pointed out people who used gawker website names as their password. I think they were pointing out how stupid it is, but actually it’s the opposite. Think about it, I bet you those people didn’t reuse their username and password on another site. It’s almost a full proof password for public sites. The only thing it needs is a salt, something added to the password to make sure it is unique.
To keep yourself safe I would recommend using some type of password scheme for public sites. Choose something like the first 4 letters of a site + a salt you can remember. So my salt for this example will be 32#@. So if i was logging into gawker I would know my password is gawk32#@. Simple to remember, secure, and NOT reused on any other site!
This is actually one of the better ideas I’ve come across in a while. While there’s something intrinsically “scary” about it (using a known, part of the domain, in the password) it *seems* fairly secure. But the real strength is that if the salt is discovered, the damage is limited.
It was just something I was thinking about. As long as you don’t use the same scheme for banking/important websites it is pretty secure. If someone figures out the salt the worst they can do is go post of some gawker blog.