Passwords, redux.

Posted on by Peter Hesse

I received the following email on Monday morning:

You don’t know me.  I’m nobody.  My name is Steve.  I came across a database dump from Gawker.com earlier this evening.  It’s making its rounds around the internet.  Besides just the code dump from gawker.com among other sites, it also contains email addresses and passwords for over 1.3 million accounts.  I’m sending this email to the 200,000 or so people who’s passwords were included, in plain text, in this archive.  I have your password.  However, I have 0 interest in it.  Obviously i’m anonymous so how can you trust me – you can’t.  But trust me, if I had interest in your password, I wouldn’t be emailing you saying I have it. That’s just dumb.  The reason I’m telling you this is because people all over the world, who aren’t like me, who won’t notify you, have it.  They will use and abuse it.  Change your gawker.com credentials. Now.  MORE IMPORTANTLY, change passwords on other sites you visit that use the same one as your gawker.com/lifehacker.com/gizmodo.com login.

Well, it was believable enough… then, I read an article on Forbes and knew it wasn’t a scam. Argh. To their credit, Gawker has some informative posts on their breach and how to audit and update passwords.

As background: I use a password manager to manage my passwords, and it helps me use secure passwords wherever possible. However, I have a number of passwords which predate my use of a password manager, and for many sites I used the same password. Yes, it’s a bad security practice that we’ve talked about before, and even XKCD has weighed in.  The use of this same password didn’t bother me – it was my password for using on sites that I considered “low impact”. In other words, I didn’t feel like it was a big deal if that password was compromised.

Receiving that email, along with a notification from Google that my account had been locked out, was a wakeup call. Suddenly, it became a big deal to me.

So, I spent this evening going through my password manager’s records. I have 507 saved passwords.  I had nearly 150 with the same password.  I changed every one of them to a randomly generated password.  It took me over three hours to go through that process.  A tremendous hassle. Let me suggest from experience: change those passwords you use on many sites.  If you try to do them all at the same time, it will be a tiring and painful process.