If you haven’t heard, Gawker had a major password leak recently. They’re a major blog network, hosting sites like Lifehacker, Gizmodo, and Kotaku among others. To be fair, Gawker isn’t the only site to have massive data leaks, either by deliberate hacking or accidental mishandling.
The Wall Street Journal has an excellent blog post about the top 50 passwords in the leaked data. The graph of the top 50 shows a nice Zipfian curve. I’m not sure that I expected that, but what else should I expect?
They don’t stop there; they analyse by password length and email provider as well. It’s a shame that level of analysis is often left out of normal news. metalev has more analysis — it shows more of the curve and shows the top 50 numeric passwords.
At first, my reaction was that it’s just accounts for making comments and such on Gawker sites. From what I heard, compromised accounts were used for SEO – link farms and such to fool page rank. But this xkcd explains some of the real danger — account information is often reused across sites.
One solution that LifeHacker suggests is LastPass, which remembers all your passwords in a central, cloud-backed web browser plugin. It’s a “one password to rule them all” solution, so it enables you to have a unique password for every site, and can generate strong passwords for you. The downside is that it’s a central point of failure, but it sounds like they do a good job. LastPass Premium supports two-factor authentication using a thumb drive (which greatly strengthens your account), but it costs a little money ($1 a month).
You really have to read the material to decide whether or not to trust it, but it sounds excellent. The password file is encrypted/decrypted locally, so it’s never stored decrypted anywhere, especially not on cloud storage. They also say noone at LastPass can access your encrypted data, which suggests that your password isn’t stored anywhere. The downside is that you really can’t do much if you forget the master password. Amazingly, it’s setup to work fine whether cloud storage is up or not.
I’ll probably move to using LastPass soon. Also, if I get some more free time I’ll try and do a more detailed analysis of the various password leaks over time (and maybe the brute-force tools to protect against).
Also, I want to link a story about high-level analysis of Santa letters, which I came across from DCist from Google’s suggestions. There isn’t any real data, but it’s probably real and is a pretty sobering take on this year.