Monday, December 27, 2010

Gawker Breach and Strong Passwords

I used Lifehacker and Gizmodo, of course I was a member before the war between Nick/Adrian and 4Chan, before the dark times. What can we learn from this incident, well several things!

1. The first is that strong password security is a must. 
It's not just a good idea that some person in a classroom somewhere mandates. It should be good policy for every person connected to the internet. I downloaded the files from gnosis, the group claiming responsibility for the Gawker breach. They has access to those systems for a long time (weeks if not months). Long enough to crack good, strong passwords. I was surprised to see how many people use children names, their own names, colleges, and the word "password" as their password.

People, these are not strong. No word easily found in any dictionary is "strong"!!!

I typically use strong passwords. Even after 48 hours of brute force against my own passwords which were in the list obtained from gnosis, I went through every site which I felt had security issues, and changed passwords ahead of my 90-120 day schedule. Yes, you should change your passwords at least every 90 days. This is no laughing matter. I spent most of the weekend changing my passwords.

This is my forumla for making strong passwords: Letters + Numbers + Capitals and for grins throw in a !@#$%& character or two. Make it more than 8 characters.


This is an example of a strong password: !iWng24Cea@39
Note the use of capitals, print characters (!@#$%&*), and numbers. The password is also longer than 8 characters. 

DO NOT REUSE PASSWORDS ON MULTIPLE SITES, EACH SITE NEEDS A SPECIFIC PASSWORD.  This is what ultimately lead to the massive amount of personal information on the gawker media employees to be leaked and posted. 

2. Pay attention to emails and news regarding the sites we use on a daily or weekly basis. 
Keeping apprised of a situation is no small feat, but we do this in so many ways already. You would certainly notice if the front door to your home was open all day long. I am not saying that everyone should learn intrusion detection, but be aware of the sites and services you use, and be aware of any issues they have.

3. Site designers, make password changing/entry friendly to strong passwords.
In the process of changing the passwords to sites this weekend, I noticed a disturbing trend. Many sites do not allow the storing of what I consider strong characters, mainly the !@#$%* characters. This is a serious issue to me. I realize that storing these types of characters is more difficult in the short term, but in the long term this adds the longevity of the cracking attempt. Do not limit me on password length either. Making a limit of 12 characters is silly and outdated. If I am capable of remembering a 32 character string then let me have 32 characters.

Sticking to these tips will help you in the long run maintain some measure of safety. Remember that security is not a matter of stopping someone cold, but making it as difficult as possible to breach the measures taken. No security is full proof, but do not make it easy for anyone to breach your data.

No comments: