Gawker Media site hack

This is an open forum for any mojoPortal topics that don't fall into the other categories.

This thread is closed to new posts. You must sign in to post in the forums.
12/14/2010 10:17:40 PM
Jamie E
Gravatar
Total Posts 1203
View Posts
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Gawker Media site hack

Hey everyone, it's been making the rounds in the tech media, so I wanted to bring up the Gawker Media site hack that happened over the weekend. Through this breach, hackers got hold of approximately one million usernames and passwords of registered users (and staff members) of the sites Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. The passwords were encrypted, but the data breach is now enabling brute-force decryption of at least the most embarrassingly weak stored passwords.

Of course, Gawker Media is not using mojoPortal, but we can still all learn from their failure to follow best security practices. When running a public web site, you should always keep in mind that no matter how strong your security measures, your database information might be compromised one day. If not by external hackers, then by malicious insiders. If that happens as it has with Gawker, all that will stand between the attackers and your sensitive data is how it is stored.

As you should already be aware, mojoPortal supports three levels of password security in the database:

  • Plain text - This is plain bad news. Please don't use it.
  • Encrypted - Better, but can still be compromised if someone gets hold of the proper encryption key (hence the importance of changing your Machine Key), and even without the key, the passwords can be decrypted using brute-force dictionary and targeted attacks.
  • Hashed - Best security. A one-way hash, as it's name implies, cannot be reversed. There is no way to reconstruct passwords, even with full database access.

In addition to strong password storage, you can apply extra levels of security. SSL encryption is very important for all sensitive traffic. mojoPortal's site settings includes a password strength regular expression you can use to ensure that users choose harder-to-guess passwords, and if you don't want to go that far, even something as simple as enabling a password strength meter can be surprisingly effective in encouraging users to pick better passwords.

And if you ever hear anyone complaining that it's too hard to remember all those complex passwords, steer them toward the KeePass password vault.

Stay safe!

Jamie

12/15/2010 1:27:11 AM
Rick Hubka
Gravatar
Total Posts 245
View Posts
mojoPortal Community Expert

Re: Gawker Media site hack

Thanks

Well said Jamie!

I've been using KeePass for a few years now and because of that all my passwords are unique and more complex.

Rick

You must sign in to post in the forums. This thread is closed to new posts.