Skip to main content

Posts

Showing posts from December, 2010

Protection and Response to User Account Leaks

Today it is being widely published that Gawker media has had their entire databased of user accounts and passwords (DES encrypted) leaked to the public.  Although this event may have been limited to those with user accounts on Gawker properties, imagine this happening on a major service like google, hotmail, or your bank.

The two most significant impacts to most people are:

1)  Gaining access to the Gawker services exposed.  Once the encryption is brute forced on the password data it is possible for someone to directly login to the service as you.

2)  Reuse of passwords on other services.  Because humans are creatures of habit, we tend to reuse usernames and passwords across services, so if someone can find your email address and password, they can attempt to login to other services as you as well.

This provides an opportunity to reflect on methods of preventing and responding to these types of events.

Response - Although it appears to be a good idea to change the password on the affect s…