This is Przemysław Kamiński's Typepad Profile.
Join Typepad and start following Przemysław Kamiński's activity
Join Now!
Already a member? Sign In
Przemysław Kamiński
Recent Activity
While I agree, that passwords are not best idea (I rather use OpenID authentication, but only due to my laziness) I wouldn't agree that OpenID is a best (or even better solution). Let's think about current situation: we can safely assume, that the culprits didn't download magic /etc/password file but got a hold of smaller or bigger portion of Gawker shared database. Right now they have access to (as Gawker say) 1.2 million records consisting of: username, e-mail, password (probably somewhat encrypted/hashed). You now have this kind of DB, what now? First you need to link this data to proper identity. Most data-sensitive companies I know (and use their service) have numerical logins, which are never sent to user through internet, but usually through traditional mail, You can't link that, unless you'll try "password" for every client number you can imagine, good luck with that. Same is with pretty everything else as long as someone set different password for e-mail and different password for site he is/was using - that way proper identity can't be linked and hack is gone (maybe someone is going to post bulls**t on site you forgot you even registered on sometime in the future, but who cares). On the other hand if someone gets access to whole tree (he doesn't even need username/password, just linked data) then you have real problem. I shown friend of mine how his bank compromised him by asking by phone every identity confirmation question so he could log to phone service. I called back to the bank, introduces myself as him, given responses which I remembered hearing and changed password. And I am just average developer, nowhere close to expert identities thieves. The point is that having 1.2mln of such records means you don't care for blank connections where email passwords are empty. You care only for those you can follow and researching identities is painful and expensive process. Chances that you'll be target of such identity mining are similar to someone picking exactly on you (which is unlikely unless someone is really hard core troll offending everyone or some kind of celebrity). Gawker made smart move by exposing its problem. But as written in article - chances that your account will be compromised rise with every site you've registered on. As well as chances that you'll never know this happened...
Toggle Commented Dec 15, 2010 on The Dirty Truth About Web Passwords at Coding Horror
Przemysław Kamiński is now following The Typepad Team
Dec 14, 2010