Passwords - Please Be Smart! (Gawker vs. 4chan)

**mollipen** · 13 Dec 2010, 04:16 AM

So events have transpired today in what seems to be a tussle between Gawker (group of blog that bring us such stuff as Kotaku and Gizmodo) and 4chan (image board that brings me Persona hentai and pictures of cute traps).

The exacts of this aren't really important, and let's be honest, a lot of you probably don't care. However, why you should care, at least a little, is that a group of script kids (who may or may not be directly tied to 4chan) hacked the hell out of Gawker's databases, and now thousands of email addresses and passwords for accounts on Gawker sites are out there.

Did Your Account Get Nabbed?

First: go check to see if any of your email addresses show up. Follow the below instructions, and if you get a hit on any servers (such as "gmail.com"), then your info for your Gawker account is out there.

1. Go here: Converting your email address to MD5
2. Enter your email address under "Input", and click on "MD5". Copy the "Result".
3. Then go here: The database
4. Click on "Show Options" and change the filter to "MD5". Paste the copied "Result" and see if it shows up on search. If ANYTHING shows up on the search result (e.g. xxxx.com where xxxx is the domain of your email address) it does then your password has been compromised and sooner or later will be hacked if they feel like it.

Personally, I'd do a search for any active-use email addresses you have, even if you can't remember using them on a Gawker site. You know, just to be safe.

The other point to bring up is the question of password security. I know how it goes: in this day and age, it seems like every website wants you to make an account before you can do anything, so your list of usernames and passwords is a mile long. At some point, trying to remember them all is a lost cause, and complex password management can be a hassle for some. So, even the best of us have done it at times - using the same password for multiple websites.

Being Smarter About Passwords in General

Having a Gawker account hacked may be of little concern. The problem is, if you used a password on there that you've also used in other places, and if you - like most - tend to stick with one common username, the information leaked from Gawker could give somebody access to your account somewhere else if they take the time to try. Is it going to happen? Probably not. But you never know.

Not that I'm any kind of password expert or anything, but I've tried a number of various methods for handling passwords. Having a few common ones, using phrases I associated with the website, taking a word and the site name and inter-mixing the letters, having a password storage app, random password generators, tons of things. Every solution I tried either left me feeling like my passwords weren't secure enough, or keeping track of everything was an utter pain.

The solution I found is a password generation system, but not the random kind. The idea is this: you provide one string that is "fixed", and one string that is a variable. So, we start with a password, something easy for us to remember. In this case, let's say "northkoreaisbestkorea". The second string would be dependent on the site or service we want to use it with. So, let's say we're making a password for here, so we use "thenextlevel". Using those two strings, the password generator I use - under the way I have it set up - gives us the password "ACq6ekICuasa".

Totally random-looking, unique one-use password, but how in the world do you remember that? That's the great part; you don't! All you remember is the one keyphrase you want to use, and then the system for how to determine the second variable. If you can remember that, then you can always retrieve your password, and you also gain the extra level of security in not having to write anything down.

Recommendations

Mnemosyne
This is what I use. It's simple, easy, and best of all, there's both a Mac client and a free iPhone app. That way, even when away from my computer, a few seconds of fiddling with my iPhone and I can have my password for any site I need to log into. What's also nice is I can decided the length of the password I want and if it should include just letters, letters and numbers, or letters + numbers + ASCII characters. I don't believe there's a Windows version, but I'm sure a similar type of app (or many of them) exist out there.

Password Chart (http://www.passwordchart.com/)
Same kind of idea, but done completely over the web. Doesn't give you all of the options that a dedicated app like Mnemosyne does, and requires an internet connection, but it could be a good solution for at least making more secure password that you then put into a password management system of some sort.

Again, I'm no expert on all of this, and if anybody has other suggestions they'd like to make, please do so! If you take nothing else away from my ridiculously long post, however, please take a moment to think about your password safety. When it comes to account hacking or theft, things are only going to get worse, not better. Having somebody break into one of your accounts would really suck, but having a set of passwords that makes it easy for them to then break into a bunch of your other accounts is far, far worse. Keep yourself and your information as safe as possible; separate sites, separate passwords, and not simple words that could easily be brute forced!

**Compass** · 13 Dec 2010, 04:29 AM

Thanks for this. I had read the article, and was pretty sure I hadn't signed up for any gawker sites, but I had some doubt. Followed your steps and my email came up clean. Mind now has peace.

**cka** · 13 Dec 2010, 05:26 AM

I hope kotaku burns

edit: also they are morons for using DES

**Opaque** · 13 Dec 2010, 05:42 AM

I came up clean.

Good looking out though.

**Detour** · 13 Dec 2010, 06:15 AM

I had an account on LifeHacker and sure enough, my account was compromised. I'm not retarded and use the same password everywhere, thankfully. On that topic, there was a good article a while ago on Lifehacker (lols) about creating a password algorithm instead of a password. I've adopted it and it works really well. This can be done any number of ways, but a simple and effective method is as follows.

Pick a 4 digit number you already remember - say, your Month/Day birthdate - for me, let's say it's

0612

Then you make your password whatever the name of the site is, and interleave the 4 digits into the word, one number after every vowel.

the0ne6xtle1ve2l

Then simply append it with a letter on each end, say the first letter of your name

tthe0ne6xtle1ve2lt

and you end up with an extremely strong, site-specific password which you can always remember.

Also, If your account is a part of this mess, you'll more than likely have an email fro Hint.io notifying you of the breach - The HackerNews kids are doing what Gawker should have done fucking hours ago.

**Dyne** · 13 Dec 2010, 06:59 AM

I use KeePass. You can save the files and the app on a thumb drive. Super easy and it has a generator as well.

**Diff-chan** · 13 Dec 2010, 07:52 AM

Yep, mine was on the list. I accept this as punishment for having a Gawker account.

**Cowutopia** · 13 Dec 2010, 08:04 AM

I have six passwords of varying strength that I use for various sites, and I change the strong ones from time to time. Anything that is tied to a bank account gets one of either of two stronger ones.

Nothing came up for me though.