Gawker User Passwords Compromised

I'll try to keep this short.

For those who didn't hear or didn't care, Gawker Media Lost Some User Info.

And then, a thing started happening at Twitter-- TweetSpam on accounts previously not responsible for TweetSpam. Specifically to people who had accounts compromised at Gawker. How is this so? Because the people used a common password between the two sites.

As an IT person, I can tell you rules of passwords:

1. Don't use passwords that are short or easy to guess.
2. Use uppercase, lowercase, symbols, and numbers.
3. Don't write down your passwords, someone will find them.
4. Don't use the same password on more than one site.
5. Change your passwords often.

Now then, honestly, we've been saying these things for more than a decade now, and everyone knows that they are blatantly ridiculous. Make a password that is hard to guess, difficult to remember, complicated, don't write it down, and don't use it at more than one place. And then change all of those passwords every 30/60/90 days.

Like you might be that super human. Maybe 1 in 1 million people have the mental capacity to pull that kind of thing off, but for the rest of us mere mortals, we're left to either break one or more of The Rules or use a password manager. Or use your openid/google account/facebook login-- a central authority for your authentication.

And that's what this post is about. The terrible solutions we propose to the unsolvable problem we created.

Password managers? Sure, they are safe- the data is encrypted! The source code is open! The company is reputable! These all may be true today, but if the company is compromised and a group of hackers manages to insert their send-all-the-passwords-to-me code into the application, it could be weeks, months, or years before anyone finds it. What if they hacked the compiler used to create the completely-safe password manager app? What if they hacked the compiler that compiles the compiler that creates the completely-safe password app? Yes, Virginia, that can happen, and there are many thesis written on the matter. Your passwords aren't really any safer than the database that runs the web site that has your password.

Linked accounts? Now, if there is a breach at one place, you're compromised at every single other place that was linked. There's a great solution!

If you're looking for answers, they are not here, because really: they do not exist.

Because of this, we really have to stop preaching the password rules as if they are the IT Gospel.

What can you do? Try to follow the rules, enough to make yourself able to sleep soundly each night, and maybe buy some identity theft insurance.

I'm just sayin'.