by Bill Snyder

6 Password Security Tips to Learn from Gawker Hack

Dec 20, 2010

The recent Gawker hack resulting in stolen passwords is what President Obama likes to call a teachable moment. Take this opportunity to review your own online password habits.

The Germans have a word for it: Schadenfreude, taking pleasure in someone else’s misfortune. And I have to admit, I did a feel a twinge of satisfaction when Gawker, one of the snarkiest and most self-satisfied collection of sites on the Web, was hacked. But I do worry about the 1.2 million people whose passwords were stolen and posted on the Web for any moderately skilled bad guy to crack and use.

If nothing else, the attack on Gawker is what the President likes to call “a teachable moment,” with lessons for anyone who uses the Web. (And speaking of the President, two of the stolen passwords were associated with the domain

Lesson One: Don’t use the same password on multiple sites.

If the worst thing that could happen to Gawker users was that someone would post a fake comment, nobody would really care. But “attackers will undoubtedly be testing the cracked passwords against both personal and corporate services such as e-mail accounts, online banking sites, VPN remote access logins,” Jon Oberheide, the co-founder of Duo Security, said in a blog post.

Duo technicians downloaded the Gawker file, and in just one hour solved 190,000 passwords; before long 400,000 were broken. Duo posted the 25 most common passwords on its site — but without identifying email addresses or user names — and that brings me to the

Lesson Two: Use a strong password, something many Gawkers users haven’t figured out.

For example, 2516 Gawker account holders used “123456” as a password, while another 2188 used “password” for a password. You get the idea. Ideally passwords should contain a mix of upper- and lower-case letters, numbers and keyboard characters, such as # or ^. (Gawker posted as helpful list of FAQs after the attack.)

Lesson Three: Once you hear about a break-in, check to see if you’re using that password and username on multiple sites.

If you are, change them. Here is a little widget that will tell you if your password was posted. Gawker sites include,, Fleshbot, Deadspin, Lifehacker, Gizmodo, io9, Kotaku, Jalopnik, and Jezebel.

Lesson Four: If you use online bill pay, or buy stuff on the Web, check your bank and credit card statements frequently.

If your password info is hacked and matched to a shopping or financial site, you may have some big charges before you know it. While it’s true that some of the larger credit cards providers will notice a large purchase or cash withdrawal that seems out of the ordinary and notify you, not all do that. What’s more, smaller purchases or cash withdrawals are easy to miss, but can add up. Some clown once charged $3.00 at a convenience store using one of my credit cards, but luckily the bank noticed it and changed my account number before he could buy something bigger.

Lesson Five: Instead of relying on your memory or stacks of sticky notes, use a password manager.

I like, which now works with multiple browsers including Firefox and Chrome. But remember, you still need to create a strong password for Roboform to remember. Don’t want to buy a program? You can get some, but not all of the benefits, by using features built into most browsers that can automatically fill in passwords you have saved.

Lesson Six: Be wary of public PCs.

When using a public computer in a hotel or cafe, be absolutely certain that you’ve logged off and closed the browser or at least the tab linked to a sensitive site.

There’s a lesson here for Gawker staffers as well. Be a little humble. Next time you start to pick on a site or a person who has done something dumb, take a look in the mirror before you post.

San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at

Follow Bill Snyder on Twitter @BSnyderSF. Follow everything from on Twitter @CIOonline.