Thoughts on the Gawker hack fiasco

So if you haven't heard about this massive fiasco yet, read this article for a quick summary.  We were talking about this in my wow guild chat and someone said "that's why my password is complex with a lot of 1's and o's."  The ones of us who are computer literate lolled for a bit and then informed him that he completely had no idea of what was going on.  This article is for the people who read this blog who are like him.

The problem here is that the usernames and passwords were all compromised, meaning that the hackers could SEE everything.  It doesn't matter if your password has lots of 1's and 0's.  It's out there now.  Everyone on the internet has access to it.  What also got me about my guildie's statement was that he said "password".  Singular.  While I didn't verify this, I get the feeling that he probably has one password that he uses for everything.  THIS IS BAD.  If you read the article I linked at the beginning of this post, it mentions that the compromised account usernames and passwords might have something to do with a bunch of twitter accounts getting hacked right after this happened.  To write a script that uses these usernames and passwords against a multitude of services is relatively trivial.  Blizzard has even sent out emails to users who might be affected by this hack (link).  This is also one reason everyone who plays wow should get an authenticator.  But I digress.

WHAT DOES THIS ALL MEAN?  At the very least, everyone should be examining their username/password security policies.  The ideal solution is to create unique usernames and passwords for each site/service you subscribe to, but this is not going to happen because 1) people are lazy and 2) good is dumb (points if you're old enough to remember where that reference came from).  At the very least, you can create tiers, or groups, of logins/passwords.  For sites where all you do with your login is comment or read (like forums), a dummy account should suffice.  If this dummy account were to be compromised, the risk associated is pretty low.  OMG SOMEONE CAN SPOOF ME AND WRITE COMMENTS ON GIZMODO!  Who the fuck cares.  However, when you start dealing with services and sites that could have extreme damaging effects if compromised, a unique username and password system is the best method.  Make sure to pick a complex password and not something like "123456" or "password" as so many people using the gawker sites did.  The bad side to this is that we all use the internet so much now that this system can lead to mountains of usernames/passwords that we have to remember.  For this, you could try using a password manager, but that in itself is worthy of a whole other discussion (keeping all your passwords in one central location accessible by only a single password).

Anyways, I hope this incident has at least made people think about their current username/password policies and perhaps contemplate upgrading their security.  I also would just like to note that while I don't condone hacking into other people's sites/systems, Gawker is dumb.  They actively went after 4chan/gnosis/whatever and instigated this.  What they did was the equivalent of driving into the bad part of town in their yuppie VW Jetta and talking shit to feel good about themselves.  You know the old saying.  Play with fire...