Mac 101: Securing your passwords after the Gawker breach
Thanks to questionable security practices at Gawker Media (publishing parent of many high-profile websites including Gizmodo and Lifehacker), a number of people are busy scrambling to change their passwords on a lot of different sites today. Gawker stored encrypted passwords on its servers instead of password hashes (and stored those passwords using the deprecated DES standard), so as a result of some weekend hacking, a lot of email addresses and passwords were stolen.
Gawker Media is asking anyone who uses its comment system to change their password immediately, and if they used the same email address and password on other websites, they should change those passwords as well. If you have used any of the Gawker sites in the past, you can use Slate's Gawker Hack widget to determine if your email address and password was part of the group that was compromised. Some other sites like LinkedIn are proactively disabling the accounts of users who were included in the data dump, requiring them to reset their passwords before they can get back in.
Common sense dictates that for the best security, every website account should have a separate password; you should never use a dictionary word, birthday or family name as your password; strong passwords always need a mix of capitals and lowercase letters, numbers and (if acceptable to the service you're logging into) punctuation/non-alphanumerics. (The number of people who used 'password' or '123456' as their comment login in the Gawker system is truly shocking.)
However, our puny human brains don't work well with strong passwords; we just can't remember a lot of passwords that are random gibberish, and even using mnemonics and other tricks for password generation can fill up the ol' brain pretty quickly. There are some ways to generate strong passwords that are associated with just one website -- and keep them recorded securely on your Mac or in the cloud -- so click that Read More link to see how.
For all the tips that follow, be sure you have solid and reliable backups -- it would be a giant pain to lose your passwords if your hard drive dies.
To begin with, there's an extremely powerful tool that comes with every Mac sold. In the Utilities folder you'll find the Keychain Access application. This app has a built-in Password Assistant for generating strong and unique passwords.
Launch Keychain Access, and then select File > New Password Item. In the field marked Keychain Item Name, type in the URL (address) for the website:
Next, type in your account name, and then click that little key icon to the right of the password field. The Password Assistant appears (see image below), and you can choose from one of several different types of passwords -- memorable, letters & numbers, numbers only, random, and FIPS-181 compliant -- then use a slider to set the length of the password.
Remember that longer passwords are much more difficult to break -- although, unless you're depending on this password to protect your financial info or medical records, a 10-15 character password is probably fine. Click Add to save the new password on your Mac keychain. To grab the password while logging into a site, launch Keychain Access (it might be helpful to keep it in your Dock) and use the search field to search for the URL you're looking for. Double click the item in the list of sites, and then check Show Password to view your password or copy it to your clipboard. Note that you'll need to enter your admin password to view the site password.
The popular cross-platform password management application 1Password ($39.95, family pack available for $69.95), also has a way to generate strong passwords. 1Password is handy because it can automatically enter your user name and password into a site's login form with the click of a button, making it a cinch to use long passwords without the need to remember them or copy/paste them; it can also store your password data on Dropbox or MobileMe for instant backup and easy access (while keeping everything secure and safe). If you're already using 1Password, it's easy to search through your login data to see if you're using your Gawker login credentials at any other site, and change those passwords quickly (just search by field 'Password').
When the 1Password plug-in is installed in your browser, you'll see a small "1P" icon. Clicking that icon displays a dropdown menu, with one item being "Strong Password Generator." As with Keychain Access, you'll need to enter in a title and the URL of the site, and you can then use the length slider to create incredibly long passwords that can either be pronounceable (easier to read to someone if you need to) or completely random.
I personally use 1Password for most of my internet logins simply because it can create very complex passwords, and then let me log into those sites with a click from Mac, Windows, iPad, or iPhone.
Last weekend's 360MacDev was extremely timely, as one of the speakers was Dave Wiskus of Double Encore. One of the free apps from Double Encore is KeyGrinder, which is a unique web and iOS app (coming soon for Mac) that creates password hashes that are generated by an algorithm that takes the website URL and an easily-remembered personal password, then mashes them up to develop a unique code. The password you log in with is different for every website since the site URL is completely different from place to place.
Regardless of what device you're working on (Mac, Windows PC, iOS device), the same URL and personal password will always create the same password hash, so the same password will be generated on any device. The web app is accessible at http://keygrinder.com.
Another free app (available in a paid "premium" version as well) that is similar to 1Password is LastPass. As with 1Password and KeyGrinder, all you need is a master password to get into just about any site. The app is cross-platform; not only does it work with Mac or Windows, but it's usable on Internet Explorer, Safari, Firefox, and even Google Chrome as well as a variety of smartphone operating systems.
The Gawker hack attack has made the need for unique and strong passwords painfully aware to a lot of people. Hopefully, you'll be able to use one of these three tools to help keep your passwords secure.
Subscribe to Newsletter
Software Updatesmore updates
- Daylite 5 adds refinements to the business management app
- 1Password 4.5 for iOS gains features, slims down
- IFTTT for iPad brings service/device mashups to your favorite tablet
- Daily App: Rormix brings indie music videos to your iPhone and iPad
- Pebble updates its iOS app with new apps, sharing options and v2.1 fix
- PSA: Pebble for iOS v.2.1 update contains critical flaw that breaks the app - Update