Hey everyone, it's been making the rounds in the tech media, so I wanted to bring up the Gawker Media site hack that happened over the weekend. Through this breach, hackers got hold of approximately one million usernames and passwords of registered users (and staff members) of the sites Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. The passwords were encrypted, but the data breach is now enabling brute-force decryption of at least the most embarrassingly weak stored passwords.
Of course, Gawker Media is not using mojoPortal, but we can still all learn from their failure to follow best security practices. When running a public web site, you should always keep in mind that no matter how strong your security measures, your database information might be compromised one day. If not by external hackers, then by malicious insiders. If that happens as it has with Gawker, all that will stand between the attackers and your sensitive data is how it is stored.
As you should already be aware, mojoPortal supports three levels of password security in the database:
Plain text - This is plain bad news. Please don't use it.
Encrypted - Better, but can still be compromised if someone gets hold of the proper encryption key (hence the importance of changing your Machine Key), and even without the key, the passwords can be decrypted using brute-force dictionary and targeted attacks.
Hashed - Best security. A one-way hash, as it's name implies, cannot be reversed. There is no way to reconstruct passwords, even with full database access.
In addition to strong password storage, you can apply extra levels of security. SSL encryption is very important for all sensitive traffic. mojoPortal's site settings includes a password strength regular expression you can use to ensure that users choose harder-to-guess passwords, and if you don't want to go that far, even something as simple as enabling a password strength meter can be surprisingly effective in encouraging users to pick better passwords.
And if you ever hear anyone complaining that it's too hard to remember all those complex passwords, steer them toward the KeePass password vault.