Nick Denton has a blogging empire named Gawker which includes eight successful blogs including one of the most popular tech blogs. He’s been involved in ‘journalism’ and technology for a long time. One would imagine someone in his position and with his background would take online user names and passwords very seriously as, for him, they are literally the keys to his kingdom. Apparently, that’s asking too much from this blogging mogul, because he got hacked. Big time.
It’s not clear when it all started, but there were clear signs in early November that something was amiss as Nick got a notification that he had setup a new account that he in fact, had not setup. Instead of recognizing this as any kind of serious threat, he basically ignored it and went about his business. And, critically, Nick doesn’t bother to change his password which he apparently uses for a lot of different accounts. This, eventually, gives the hackers a really easy way to get inside Gawker HQ.
A month later, Nick and his Gawker employees start to see odd behavior on some of the accounts, but it is still over a day before they take any kind of serious action and only after the hackers create a post on the Gawker home page indicating that they (the hackers) have copied every byte of data on the Gawker servers and have made it publicly available.
If you don’t know what a server is, imagine the ‘Gawker server’ as the Pentagon and the hackers as team of Russian spies. Now imagine the Russian spies having free run of the Pentagon for as long as they like, looking at and coping everything. The hackers probably aren’t as cute as Russian spies are these days though.
Part of the information that the hackers got was the user database for all the Gawker sites. That’s not just Gawker employees, that’s anyone who has created a free account on a Gawker site so they can leave a comment or add to the discussion on one of the many Gawker blogs. It’s no longer just about Nick Denton and his employees. No, now the hackers have account info on over a million people who have registered on Gawker. And because the hackers have made these records publicly available, hundreds, thousands, possibly tens of thousands of criminals (and corporations) have access to these user names and passwords as well.
For a moment, I’m going to pretend to be a criminal. As a criminal, this is what I would do. I’d download that user database and start randomly picking out user accounts. Next, I’d try logging into different bank and social media websites like TD Bank and Facebook. At least 30% of people use the same user name and passwords for everything (do you?) so I’m going to get a lot of logins for very little effort. Then, I’d be in a bit of a quandary, do I steal you identity and setup a few credit cards, or do I just start making transfers from your bank account? After a few soul searching minutes, I say screw it, I’ll do both. Plus, if your Facebook profile picture looks cute, I’ll start stalking you too. Oh, and I’m also going to add you to my spam list so I can sell you Viagra or diet pills (probably both, I’m a greedy criminal after all).
Websites get hacked every day. User databases get loose all the time (just happened to McDonalds and Honda). So, even if you are good about keeping you computer up to date and secure, your data is still vulnerable if it’s on someone else’s server/website. And your information is on other peoples’ servers/websites, far more than you probably realize.
Forbes as a nice story on Denton’s debacle, if you’d like more details.
And This is How You go Straight
If you want to be even remotely secure online and safeguard against criminals getting a hold of your accounts, you need to get serious about user names and passwords. Two fundamental principles of secure accounts are:
- Never use the the same user name / password for more than one account.
- Use passwords that are complex and that do not contain any word you can find in a dictionary. A good rule of thumb is, if you can remember your password, it’s probably not secure. The best passwords are at least 8 characters long and include a mix of upper and lower case letters and punctuation. The longer the password is, the better. Here is an example of a moderately strong password: dB-26#je
If you want to use strong passwords that are too complicated to remember, you will need some way to manage them. Naturally, there are many applications for this. I use and like both KeePass and LastPass. I’ve also used eWallet, but found it comes up rather short over time.
KeePass is a free, open source password manager that runs on many platforms including smartphones. It does not easily integrate with your browser, but copying and pasting over passwords is pretty easy. It has strong encryption to keep your passwords safe and, since it’s all on your computer, you can back it up with the rest of your files. The process of syncing it with other devices is a bit awkward. I’ve been using it for a while and been happy with it.
LastPass is also free (but has a paid premium service also). Like KeePass, it uses strong encryption to protect your passwords, but it syncs your passwords to the LastPass server so you can access you passwords anywhere. Also, it runs as a browser plug in so it works directly with your browser to autofill your passwords when you log in to your favorite websites.
LastPass works on Windows, Macs, Linux, Blackberries, Android phones, and iPhones, but it costs $12 a year if you want to use it one of these smartphones. It works with Internet Explorer, Firefox, Safari, and Chrome.
I’ve been using it for a few weeks and am very pleased with it. To get a better idea of how LastPass works, check out the short video on their site and a short overview video from cnet.
A Little More About LastPass
When you setup LastPass, it will ask if you want it to scan your computer for user names and passwords already there. This will make it easier to get your user names and passwords into your new LastPass account. At the end of this process, LastPass will ask if you want to delete the user names and passwords from your browser. This is a good idea because your browser does not store these user names and passwords in a secure fashion. But be aware that once you choose this option, your user names and passwords will now only be stored with LastPass.
LastPass will keep an eye on what you are doing and if you come across a registration form, it will try to help and ask if you want LastPass to remember the new registration information and it can help you create a more secure password.
Password notes: Using 0 (zero) and O (capital letter O) can be confusing, so use one or the other as a rule. Same goes for other letters like the lower case letter L (as in Lincoln) and the upper case letter I (as in India).
Oh, and uh, Happy Holidays!