The recent infiltration of computers at the Gawker Media Network, which runs Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot, illustrates some Defensive Computing practices.
The bad guys got hold of well over a million email addresses and encrypted passwords for the assorted Gawker websites. The encryption used to store the passwords was flawed and many have been decrypted. Perhpas mine, I was registered with one of Gawker sites.
But, I don't care.
My password was unique, it was only used at the Gawker website and nowhere else.
Good thing too, because as the screen shot above, from didigetgawkered.com, shows, my Gawker identity was indeed stolen.
Managing a slew of unique passwords is more than many people can handle, so they re-use one password. Understandable, but dangerous.
With that in mind, consider using a formula to generate unique passwords. Then, all you need to remember is the formula.
Start with a phrase that you can easily remember. For example
The Phillies will win the World Series in 2011
Then, take the first character of each word in the phrase. This gives us the fantastically random "TPwwtWSi2". The inclusion of upper and lower case letters, along with a number, makes it even more secure.
Since the phrase includes a date, you might use the whole date and end up with the even more secure "TPwwtWSi2011".
At this point, you need to remember the phrase, to take the first character of each word and to use the whole date. Seems like a reasonable task to me.
Simple concatenation can then yield an unlimited number of passwords from this secret clump of seemingly random characters.
For example, a Gmail password might be "gmailTPwwtWSi2011" and a New York Times password might be "nytTPwwtWSi2011".
This isn't a perfect system, but it's a huge step up from using a word in the dictionary. And, it generates multiple unique passwords that can be remembered without the assistance of software. Chances are you know someone who would be more secure using this approach. It seems to strike a happy medium, being both reasonably secure and reasonably simple.
A lot of people need a better password management system.
Typically, in cases where a large cache of passwords is stolen, an analysis finds many people using terribly obvious passwords. Here too, many Gawker clients used "password" and "12345" as their password. Duo Security has published the 250 most common passwords from Gawker users.
Anyone using one of these common passwords would have been much better off with a password of "gawkerTPwwtWSi2011".
Finally, Daniel Kennedy's account at Forbes of the Gawker security breach ends with another Defensive Computing principle. Don't tick off people that know more about computers than you do.
Updated Dec. 7, 2010 to include screen shot from www.didigetgawkered.com