Mac 101: Securing your passwords after the Gawker breach
Thanks to questionable security practices at Gawker Media (publishing parent of many high-profile websites including Gizmodo and Lifehacker), a number of people are busy scrambling to change their passwords on a lot of different sites today. Gawker stored encrypted passwords on its servers instead of password hashes (and stored those passwords using the deprecated DES standard), so as a result of some weekend hacking, a lot of email addresses and passwords were stolen.
Gawker Media is asking anyone who uses its comment system to change their password immediately, and if they used the same email address and password on other websites, they should change those passwords as well. If you have used any of the Gawker sites in the past, you can use Slate's Gawker Hack widget to determine if your email address and password was part of the group that was compromised. Some other sites like LinkedIn are proactively disabling the accounts of users who were included in the data dump, requiring them to reset their passwords before they can get back in.
Common sense dictates that for the best security, every website account should have a separate password; you should never use a dictionary word, birthday or family name as your password; strong passwords always need a mix of capitals and lowercase letters, numbers and (if acceptable to the service you're logging into) punctuation/non-alphanumerics. (The number of people who used 'password' or '123456' as their comment login in the Gawker system is truly shocking.)
However, our puny human brains don't work well with strong passwords; we just can't remember a lot of passwords that are random gibberish, and even using mnemonics and other tricks for password generation can fill up the ol' brain pretty quickly. There are some ways to generate strong passwords that are associated with just one website -- and keep them recorded securely on your Mac or in the cloud -- so click that Read More link to see how.
For all the tips that follow, be sure you have solid and reliable backups -- it would be a giant pain to lose your passwords if your hard drive dies.
To begin with, there's an extremely powerful tool that comes with every Mac sold. In the Utilities folder you'll find the Keychain Access application. This app has a built-in Password Assistant for generating strong and unique passwords.
Launch Keychain Access, and then select File > New Password Item. In the field marked Keychain Item Name, type in the URL (address) for the website:
Next, type in your account name, and then click that little key icon to the right of the password field. The Password Assistant appears (see image below), and you can choose from one of several different types of passwords -- memorable, letters & numbers, numbers only, random, and FIPS-181 compliant -- then use a slider to set the length of the password.
Remember that longer passwords are much more difficult to break -- although, unless you're depending on this password to protect your financial info or medical records, a 10-15 character password is probably fine. Click Add to save the new password on your Mac keychain. To grab the password while logging into a site, launch Keychain Access (it might be helpful to keep it in your Dock) and use the search field to search for the URL you're looking for. Double click the item in the list of sites, and then check Show Password to view your password or copy it to your clipboard. Note that you'll need to enter your admin password to view the site password.
1Password
The popular cross-platform password management application 1Password ($39.95, family pack available for $69.95), also has a way to generate strong passwords. 1Password is handy because it can automatically enter your user name and password into a site's login form with the click of a button, making it a cinch to use long passwords without the need to remember them or copy/paste them; it can also store your password data on Dropbox or MobileMe for instant backup and easy access (while keeping everything secure and safe). If you're already using 1Password, it's easy to search through your login data to see if you're using your Gawker login credentials at any other site, and change those passwords quickly (just search by field 'Password').
When the 1Password plug-in is installed in your browser, you'll see a small "1P" icon. Clicking that icon displays a dropdown menu, with one item being "Strong Password Generator." As with Keychain Access, you'll need to enter in a title and the URL of the site, and you can then use the length slider to create incredibly long passwords that can either be pronounceable (easier to read to someone if you need to) or completely random.
I personally use 1Password for most of my internet logins simply because it can create very complex passwords, and then let me log into those sites with a click from Mac, Windows, iPad, or iPhone.
KeyGrinder
Last weekend's 360MacDev was extremely timely, as one of the speakers was Dave Wiskus of Double Encore. One of the free apps from Double Encore is KeyGrinder, which is a unique web and iOS app (coming soon for Mac) that creates password hashes that are generated by an algorithm that takes the website URL and an easily-remembered personal password, then mashes them up to develop a unique code. The password you log in with is different for every website since the site URL is completely different from place to place.
Regardless of what device you're working on (Mac, Windows PC, iOS device), the same URL and personal password will always create the same password hash, so the same password will be generated on any device. The web app is accessible at http://keygrinder.com.
LastPass
Another free app (available in a paid "premium" version as well) that is similar to 1Password is LastPass. As with 1Password and KeyGrinder, all you need is a master password to get into just about any site. The app is cross-platform; not only does it work with Mac or Windows, but it's usable on Internet Explorer, Safari, Firefox, and even Google Chrome as well as a variety of smartphone operating systems.
Conclusion
The Gawker hack attack has made the need for unique and strong passwords painfully aware to a lot of people. Hopefully, you'll be able to use one of these three tools to help keep your passwords secure.
Share
Source: http://tuaw.com/tag/mac101
Thanks to questionable security practices at Gawker Media (publishing parent of many high-profile websites including Gizmodo and...
Add a Comment
It seems that major breaches like this are becoming quite common.
What does that say about the security thinking among people operating
the compromised system, and about the security thinking among end users?
If you operate a major web site, a big security compromise like this can
kill your business. Not investing enough time, money and infrastructure
in security means putting your organization at risk of major harm, because
of bad press, lost end users, lost advertisers, etc. This is a big deal.
If you are a user whose password has been compromised, I guess it depends
on how many other systems you sign into with the same ID/password and
whether you care about compromise of any/every account that uses the
same credentials. At a minimum, once you learn about a compromise like
this, you should change your "standard, used for systems I don't care
much about" password everywhere.
In either case, you can learn about effective password management
practices: for organizations (http://bit.ly/dPhpkx) and for end users (http://bit.ly/fewec9)
- Idan Shoham, CTO, Hitachi ID Systems
AFAIK password hashes are encrypted passwords. Either way, it's one way. The only reason passwords are known are because they hashed some obvious guesses like password and qwerty, and scanned the database. Nothing at all relevant to Gawker or DES per se.
At least on Gawker people know how to change their password... and as far as I've seen, I have to depend on email to know about replies. And I have to login somewhere, I can't use, say, facebook connect. Seems a bit pot calling the once-leaked kettle black.
I think all sites that care for their users should download the stolen list of passwords, find all of their own users with the same emails, and reset their passwords.
That's pretty much what LinkedIn did, and it was a very good idea. I would have forgotten about LinkedIn as I don't use it all that often - at the same time, it would have been bad had my LinkedIn account been highjacked.
I used the same password as on Gawker for many websites - it's my dumb, simple "unimportant stuff" password. For my email, bank accounts, etc I have different much more complicated passwords.
Password Tote provides a simple service for storing your passwords and accessing them from several platforms:
https://www.passwordtote.com
Seriously -- how DO you change your password here?
December 14 2010 at 5:27 PM Report abuse Permalink rate up rate down Replyhttp://www.tuaw.com/2010/04/10/manage-your-tuaw-commenter-profile/
December 14 2010 at 9:54 PM Report abuse Permalink rate up rate down ReplyPerhaps the people that used "password" or "123456" for their password were in fact the smart ones. To use a generic lame password for cites that require a login and pass to leave a comment maybe is the smartest idea, that way if such sites have breaches you don't have to scramble around to change passwords on things that need a password, like email etc. Many people have several email address and logins on countless websites, so having a different and secure pw for each of those is really fantasy land of techies, with most day to day casual users choosing to pick something they can remember.
December 14 2010 at 3:03 PM Report abuse Permalink rate up rate down ReplyHow do we change our TUAW passwords?
December 14 2010 at 2:21 PM Report abuse Permalink rate up rate down ReplyMy thoughts exactly...
December 14 2010 at 8:58 PM Report abuse Permalink rate up rate down ReplyI'd like for Gawker to give me the ability delete my account. I also ask the same of the Blogsmith sites as well. (that means *you* TUAW)
December 14 2010 at 1:46 PM Report abuse Permalink rate up rate down ReplyActually TUAW doesn't run Blogsmith. Blogsmith powers dozens of sites at AOL and we have little, if any, input as to their operation. Your point is noted, however, and I agree that our platform should allow you to delete your account.
December 14 2010 at 9:52 PM Report abuse Permalink rate up rate down ReplyMy three rules for Internet Password Security:
Rule 1) 15+ character random letter/number passwords.
Rule 2) Live by 1Password (can generate Rule 1).
Rule 3) Avoid all things Gawker.
Gawker doesn't allow users to delete their account. It is a shame because I will be harassing them until they delete mine.
December 14 2010 at 1:17 PM Report abuse Permalink rate up rate down ReplyHot Apps on TUAW
Deals of the Day
more deals- Used Apple iPhone 3G 8GB for AT&T for $108 + $5 s&h
- Apple Mac Pro Xeon 6-Core 3.3GHz Desktop w/ 12GB RAM for $3,899 + $28 s&h
- Apple MacBook Pro Core i7 Quad 2.2GHz 15" SSD Laptop for $2,447 + $13 s&h
- Apple Earphones with Remote and Mic for $6 + $2 s&h
- PC Micro Store sale: Up to 50 off
- USB MP3 Player FM Transmitter with remote for $6 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
26 Comments