Gawker Passwords, etc.

I have work deadlines, so I haven’t been able to been able to write a well constructed post about this, however, a few things:

  • To check if you had a Gawker account (there are 1.25M of them, so you might have one even if you didn’t realize it) I recommend: http://gawkercheck.com/. Note: even if your password wasn’t unhashed, consider it compromised. These passwords are encrypted with DES crypt, which is not adequate to stop attackers. The keyspace is too small. For more info on DES (and probably the best post-mortem so far), see this Forbes blog post.
  • This is as good a time as any to manage your passwords properly. A lot of people (including me) are using 1Password. It’s currently available as part of the MacUpdate December 2010 Software Bundle. LastPass also looks like a good solution and is free ($12/yr for mobile support). PwdHash and KeePass are also options.
  • According to the FAQ, Gawker claims to be sending emails eventually (and some people are doing so as well now). What I did last night, and maybe a good thing to do for your friends if you are an uber-geek is to go through your friends list and grep through the torrent database and them personally know if their account has been compromised, especially if the password has been unhashed.
  • Oh, lastly, if you’re a geek w/ your hash and want to check on whether it’s a reused password or not, you can pretty easily fire up a python shell and see if it matches:
    password = 'your_password'
    hash = 'your_hash'
    salt = hash[0:2]
    import crypt
    crypt.crypt(password, salt)
    

    If you’re not sure though, audit your passwords anyway when you have a spare hour or two. You’ll feel better, trust me.