Lessons learned from the Gawker hack

From Commenting Accounts Compromised — Change Your Passwords – Gawker:

If you’ve registered an account on any Gawker Media web site (that includes Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, io9, or Fleshbot), and you didn’t log in using Facebook Connect, then it’s best to assume that your username and password were included among the leaked data.

As usual, people are being advised to change passwords that they use for those sites and to change those same passwords elsewhere if used for other things. Indeed, a number of high profile individuals used the same passwords on Twitter and for Gmail as they used with Gawker, and so those have been compromised and abused.

1Password users, of course, should be using strong unique passwords for different logins. This way the compromise of one site’s database doesn’t threaten you in other places.

While this all-too-frequent event reminds us of the importance of good password management, it also reminds us that the places we use our passwords aren’t always making the best encryption choices on their end. The lesson here is, again, to use strong passwords, and don’t use the same password twice.

So what about 1Password and cloud storage? The good news is that from the very beginning we designed the 1Password data format to withstand the most sophisticated attacks imaginable. You can read more about that here. Stay safe out there!

8 replies
  1. Rob
    Rob says:

    That’s great, but when I’ve used 1Password to store all my passwords it would be nice to be able to quickly find all the logins that use a single email address or username so that one can check which passwords most urgently may need changing,

    Also the flaky sync between Mac, iPhone and iPad has been incredibly frustrating after changing passwords this evening due to the above hack of Gawker. I ended up with duplicate entries on iPhone and Mac and still haven’t been able to get my iPad to sync. Not what you need at a time of stress.

    And yes, I have followed the instructions on how to fault find but really I just want it to work. Any chance it’ll sync via USB cable at some point? Would be so much easier (and secure)?

  2. Tyler Karaszewski
    Tyler Karaszewski says:

    Finding my email address in the list of leaked gawker accounts (though thankfully not in the list of cracked ones) was actually what prompted me to purchase 1Password today (and I’m quite impressed so far, I love the website preview feature, even if it’s mostly just fun and superfluous).

    But, seeing as I don’t want to be vulnerable to losing absolutely everything if my laptop dies, I decided to take your advice and backup my info on DropBox, which immediately left me with a catch-22: obviously what I want to do is create a strong DropBox password and store it in 1Password, but that means that if my laptop dies, I’ll never be able to recover my DropBox password. Do you guys have best practices for this?

  3. Daniel Grutsch
    Daniel Grutsch says:

    @Tyler: If you have a trusted and safe place at home, just print the password (or write it down) and put it in a envelope which you can seal. Then store it at this place. If your laptop dies, you will have the possibility to enter Dropbox again.
    An easier way may be to back up the 1Password Database to a portable device. In an emergency case you can install 1Password on another machine and get the Dropbox password out the saved database.

  4. Andy
    Andy says:

    I second Rob. It would be great if there was a way to search through all fields (including password). The workaround of exporting to a text file and searching that makes me uncomfortable.

  5. Glen
    Glen says:

    @Andy & @Rob: There are several ways to find if a given email address was used for a username. One option is to type your email address in the search window and then click on “Username” to limit the results to just matching the username field.

    The second way is to create a smart folder with the criteria “Username is ” or “Username contains “.

    Disclaimer: I don’t work for Agile, I just think they have some terrific products.

    • Brett
      Brett says:

      Thanks for chiming in, Glen! That’s totally correct. You can use File > New Smart Folder and set the criteria to anything that contains a certain password phrase in the password field, and/or a specific username. This makes it easy to see all of the accounts that are at risk if a certain username/password combination is compromised.

  6. Alan Murray
    Alan Murray says:

    You can create a new Smart Folder in 1password that shows all logins that use a certain password. That way if a password is compromised you can instantly see which accounts you need to go an change your password for :)

Comments are closed.