The Mac Security Blog

Security & Privacy

Passwords In the News – Are Yours Secure?

Posted on by

There has been a fair amount of news about the recent hack of Gawker’s servers, in which hackers obtained e-mail addresses and passwords for some 200,000 users of the company’s web sites. These sites include Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin and Fleshbot, and the e-mail addresses and passwords are for those users who registered on the sites to post comments.

Think about the last time you went to a web site and registered either to get access to the site or to post comments. What kind of password did you use? Something simple, easy to remember, like 12345678? Or your dog’s name, your kid’s birthday, or your spouse’s name? Or did you use a solid, serious password, such as h389)wn-te? (You can see the most commonly used passwords from the Gawker data here.)

And, that password you used… was it the same one you use for other sites, such as Facebook, Amazon, eBay, PayPal and most of the other sites you visit? If so, you should rethink your password strategy.

Since hackers have obtained this user information, and since many people use the same passwords on many, if not all sites they visit, these hackers are likely to break into accounts on all sorts of sites. (Actually, this has already started, with the hackers using the credentials to send spam on Twitter.) But it can go much further, if they start trying out the credentials on web sites where money is involved. Any site where users enter credit card information is a juicy target.

So how can you deal with this in the future? First, consider that you need two types of passwords: very secure passwords for all sites where you may lose money, or your reputation (your bank, Amazon, PayPal, Facebook, Twitter, etc.), and less secure passwords for web sites if you want to post comments, or for forums.

We won’t go into detail about how to choose good passwords here; if you want to look into the topic, an ebook, Take Control of Passwords in Mac OS X, by Joe Kissell, can help you out. But we will give one valuable tip.

If you use Safari, your passwords get stored in your Mac OS X Keychain. You can have the browser remember them by checking “User names and passwords” in the AutFill web forms section of Safari’s AutoFill preferences. (Firefox has a similar option, but one that isn’t linked to the keychain.) To create really secure passwords, open the Keychain Access application (in /Applications/Utilities), choose File > New Password Item, then click the key button. You’ll see the Apple Password Assistant:


You can either enter your own password and see how strong it is, or have the assistant choose one that is essentially unbreakable. (If you choose, say, 12 characters, Letters & Numbers, no one will be able to crack it in your lifetime.) Enter that password for your web site, and make sure that you have Safari remember it in the keychain. In the future, you’ll be able to log in automatically using your keychain, and you won’t have to remember the complex password.

There’s a lot to know about how to best use and manage passwords, but the simplest thing to remember is that passwords for sites where you would be at risk if your access were compromised must be complex. They don’t have to be too complex, but enough that they’re not in a dictionary, or easy to figure out. And you should never use the same password for multiple sites, unless those sites are unimportant (such as sites for entering comments or posting in forums).

Comments are closed.