![]() ![]() But once the account they use as an essential part of their online identity – something potentially responsible for their reputation, job opportunities, relationships – became breached, well that’s a whole other story. Many people may not have cared too much that the account they use to leave comments on a media site was breached. If I was a Gawker customer, which as you can now discover for yourself, I’m not, I’d be pretty unimpressed at the impact on my LinkedIn and Yahoo accounts. The more pragmatic side would simply point out that the impact of the breach on Gawker’s customers became significantly worse when they were required to take action on totally unrelated websites. The do-gooder side of me would call this a “social responsibility”. This brings me to the point of this post your responsibility stretches beyond your application. Your responsibility goes beyond your application This is serious indictment of internet security practices as it acknowledges the high propensity for password reuse and concedes that once an individual is compromised in one location, chances are they will be compromised in many locations. In fact, the likelihood of password reuse was sufficiently high for LinkedIn, Yahoo and Blizzard (and probably others) to request potentially affected customers to reset passwords on their sites. Even the founder of Gawker used the same eight digit password for Twitter as he did his own company’s website! How many of the passwords above look “strong”? How many look like they could feasibly have been used on other websites? Other than the “gizmodo” one, I’d say the likelihood of reuse is rather high. Federated and second factor authentication services are great, but let’s face it – they have their own issues and how often are they actually used? There’s no arguing this is a big security no-no but there’s also no arguing that there’s very little we, as software developers, can do about this. Of course the problem here is human in that many people simply create themselves a master username and password and reuse these credentials everywhere. Why? Because evil-doers simply took compromised usernames, email addresses and passwords from Gawker, plugged them into Twitter and guess what? Many of them worked! Shortly after the Gawker hack, Twitter become flooded with Acai spam. There’s a lot of commentary out there about what they did wrong and how it lead to such a comprehensive breach, but what’s really interesting is the damage done beyond Gawker. Gawker obviously screwed up on a fairly grand scale. Because people reuse their credentials, Gawker’s approach to application security didn’t just compromise their own data, it compromised an untold number of other applications. How do we know this? Because every one of these passwords and hundreds of thousands more were stolen from Gawker last month and released into the wild where they are now readily accessible. The first one – 123456 – was used over two and a half thousand times alone. These 25 passwords were used a total of 13,411 times by people with Gawker accounts. Here’s the thing about securing credentials in web apps you’re not just responsible for securing your application, you’re also responsible for securing your customer’s identities.ġ23456, password, 12345678, qwerty, abc123, 12345, monkey, 111111, consumer, letmein, 1234, dragon, trustno1, baseball, gizmodo, whatever, superman, 1234567, sunshine, iloveyou, fuckyou, starwars, shadow, princess, cheese ![]()
0 Comments
Leave a Reply. |