Gawker Comment Accounts Compromised

Got this in an email this morning…

This weekend we discovered that Gawker Media’s servers were compromised,
resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel,
io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name
and password associated with your comment account were released on the
internet. If you’re a commenter on any of our sites, you probably have
several questions.

Why yes, I do have some questions…

  1. Why are you storing passwords in a form that means people can “release them onto the Internet”?
  2. Why am I being told on Tuesday about stuff that happened on Saturday?
#include "facepalm.h"

It’s a bit poor that websites devoted to telling people common-sense manage to fail at it themselves. It’s very very simple do not store user passwords in plaintext. User forgets their password? You send them a time-limited token to allow them to reset it.

This is also why it’s bad to type in your Facebook/Twitter/Googlemail details into those “import your contacts” forms on websites.

Never mind, nobody is daft enough to use the same password on multiple websites, right?

Keepass Password Safe

Following my mess with online banking yesterday I decided to do something constructive. Originally all my passwords lived in my browser and were synchronised between machines using Google Browser Sync. Now this is no more and once again I was forced to either remember them, or write them down somewhere. Writing down passwords is a silly thing to do, so following a recommendation I downloaded and installed KeePass Password Safe.

It works very nicely, I’ve even got the password database stored in my SVN server for safe keeping. I also installed it on my Mac (using KeePassX) and after a quick svn co I had the database on my Mac too, all working.

Shame there’s no Nokia Internet Tablet version, it’d be perfect then. Oh well, I’m happy with 99% perfect 😉