The recent hacking of Gawker Media’s servers and subsequent release of nearly one and one-half million user names, email addresses and passwords has put a new spotlight on two particular brands of web users: The One Password User and The Terrible Password User.
In case you lost the news of the Gawker hack between the news of Wikileaks, and the related “takedowns” of several popular web sites, it is understandable. It has been an incredible couple of weeks on the hacking/denial-of-service front.
If you did miss the news, and you are a registered user of the web sites Gawker, Gizmodo, Lifehacker, Deadspin, Jezebel, Kotaku, Jalopnik or i09, then you better listen up. Hackers were able to steal a reported 1.25 million accounts, including half a million email addresses and 185,000 decrypted passwords. In other words, it is a big deal. Want to see if your email address is in the online database published by the hackers, Slate has you covered by clicking here. Excellent resource.
Yes, we should call ourselves what we are. We are lazy. We refuse to remember multiple passwords for multiple web sites. We know there is a risk to engaging in this practice but do it anyway. We are idiots.
The hack is being reported as an example of users using terrible passwords. The most popular password (as reported by The Wall Street Journal here) of users was “123456” with “password” a distant second. Should we take away from this that at least most users have heard the warnings about using “password” as a password?
Another issue being discussed, but not on the same level as the terrible password issue, is the one-size-fits-all approach that users take with their password. Consider the scenario that you have a GMail account. More often than not, your user account on most web sites will be either the full GMail email address or the user name (the part before the @gmail.com). If you had a Gawker account, then there is a significant chance that your email address and password for Gawker is now published and available online to anyone able to use Google.
How hard do you think it will be for criminals to create a computer script that will plug in your email address and password into major web sites to see if your account can be accessed? Wachovia account? Twitter account (this actually happened the other day)? eTrade brokerage account? Facebook account? You get the picture.
The final step here is what applies to your organization. What if within those email addresses from Gawker there is a user’s work email address? (There is. LOTS of them.) And what if the password used to register the Gawker account is the same as the password for the corporate user account? Are we that far removed from a criminal seeing a corporate domain in that Gawker database and giving the foregoing scenario a shot? What, your organization requires that users change passwords every 90 days? Well, you have nothing to worry about…as long as the Gawker account was not created in the last 90 days. Or the user did not recycle a prior password that happened to be the one in use when the Gawker account was created.
Maybe it is time to “re-“emphasize to your employees that they are not to use their corporate passwords anywhere. As a Human Resources matter, you may also want to prohibit employees from using their work email address on personal web sites (this is excellent advice for many reasons, but not often followed by employees even when in place). Finally, you may also want to consider a Gawker-specific announcement about (1) the same email address used at multiple web sites, (2) sophisticated password usage and (3) changing their corporate password if it was used at any other web site.