Learning From Gawker's Failure 236
Gunkerty Jeb writes "The Gawker hack has completely disenfranchised their users, not to mention the breach in trust that may well be impossible to regain. Users are demanding that they be allowed to delete their accounts immediately, and beyond implementing such a mechanism, it is likely that Gawker systems will have to be rebuilt from the ground up to avoid future hacks. So, what is to be learned from this perfect storm of bluster and bravado?"
Re:Description of hack? (Score:5, Interesting)
Why did they even need passwords? (Score:4, Interesting)
Re:Passwords are a failure (Score:4, Interesting)
If they're not required for logging in I always fill the security question answers with a long string of random characters, effectively making them unusable for password recovery.
Re:I know what I learned (Score:4, Interesting)
I have several passwords I use. Sites that require accounts for participation get one that I don't care if it gets out in the wild. No big loss. People posting as me is mildly amusing.
I have another password for systems I'm in charge of, that function like those I participate in in the first example. It would suck if that got out. Those systems are few, and you'd have to personally know me to know what they were.
I have secure passwords for each of the highly sensitive accounts (banks and such) that are not shared between accounts. IF one of those gets out, I'm screwed for that one institution, but nowhere else.
Re:Gawker? Scadenfreude Central Hoist on own Petar (Score:5, Interesting)
Yea, well it happened to the "customers" of those jerks, too.
I had a registered account on Gizmodo, mostly to write posts telling an author how full of shit they were, or to correct silicon/silicone errors, etc., but that's immaterial.
What is material is that I've been getting emails from hosts of hosts upon which I've used that same email address to register, telling me I need to change my password, even though my password is not the same from site to site.
Worse, in a fit of idiocy, battle.net decided that, since my battle.net account is identified with an email address that they found on the leaked Gawker database, that they'd go ahead and reset my password. Yes, unsolicited. Despite the facts that a) my password does not hash to the string associated with the address in the database, b) I have an authenticator attached to the account, and c) it's not their fucking business to reset my password without asking first.
So what happened next? After getting the email from battle.net, I went to their account management page, and entered a new password -- and am then unable to login using those credentials. They broke my access for 36 hours. For no valid reason.
If I had actually held a desire to play during that time, I'd have been royally pissed. As it is, I'm just royally irritated at their stupidity, and at the subsequent neutronium density of their CS group to be completely unable to parse my simple request: "your password reset broke my login, please fix it," and instead treated me as if I had reported my account hacked. So now my WoW account is locked down while they review whatever they think they need to review.
Mass idiocy all around, yes, but precipitated by the arrogant idiocy of Gawker.
And of course, just for safety, I've had to go and change accounts everywhere to be registered with a new email address - or where not possible, rotate passwords... which I usually do, but not all at fucking once. I spent three hours last night going over my list of accounts and passwords and updating everything, including my home network, which caused things to break for other family members who are now calling me with "I can't use the web; I can't get to pokemon.com; why isn't Miro working?" etc.
So, long screed made short: The pain, there's more than enough to go around, even for the undeserving.
Or, in the the now immortal, um... expression, of an anonymous /b/tard: Fuuuuuuuuuuuuuu...!!