News came today that anyone who had commented or contributed to a Gawker Media site had their passwords compromised by hackers. Kai Ryssdal talks with Kevin Purdy, a contributing editor from Lifehacker (a Gawker site), about how to best protect yourself online.
TEXT OF INTERVIEW
Kai Ryssdal: Those of you who follow any of the websites run by Gawker Media may have some password-repairing to do. Hackers broke into Gawker’s files over the weekend, liberating the passwords from commenters on any of its sites. That’ll be Gawker itself, Jezebel, Lifehacker, and a couple of others.
We figured that made this as good a time as any to look at password security and what we can do to stay safe out there. Kevin Purdy is a contributing editor to Lifehacker. Kevin, good to talk to you.
Kevin Purdy: Hi, thank you.
Ryssdal: There’s a bit of irony we have to get out of the way here right at the top: Lifehacker is a Gawker Media company, so anybody who’s left a comment on or contributed to Lifehacker has some password problems today, don’t they?
Purdy: Across all the Gawker Media websites, yes. There’s been a little bit of a password problem. Basically a hacker group has obtained access to one of our main password databases and if you left comments at one of our blogs, then you should assume your password has been compromised.
Ryssdal: That gets to the reason we called, because can I tell you how many different passwords we’re all juggling here? And how much lost productivity there is out there in the workforce with people forgetting passwords and having to get their IT people and send that email and all that stuff? I mean, what are we supposed to do?
Purdy: Absolutely. If you are using sites like GMail, Facebook, Twitter and especially your banking and anywhere else where you have substantive information, don’t use the same password. And create a unique password for each site that does not contain common English phrases and uses letters, numbers and special characters.
Ryssdal: So give me the Lifehacker example, since this is your stock and trade?
Purdy: O.K. Come up with a phrase, maybe, and create an acronym from that. Do what you can to replace the i’s with ones or the a’s with @ symbol. And use that as your core password. And then to customize across sites, let’s say you use Facebook, do something clever like say, take the last three letters of the site — “ook” — and reverse them so it becomes that acronym and then “koo” as your password.
Ryssdal: Is there a way to test or validate the strength of your password?
Purdy: Yes. There are tools like Lastpass and 1Password. You can find them both online, they’re both available for Windows, Mac, almost any browser you use. Those store your passwords, encrypt them, and also can show you the strength of those passwords.
Ryssdal: All right, Kevin, hold on a minute: because if Gawker has problems keeping just one of my passwords safe, how much does it make for me to hand over all my passwords to this third-party site?
Purdy: Sure, absolutely. Tools like Lastpass and 1Password encrypt the passwords that you give them such that they can’t even see them. But there’s no such thing as ultimate universal security. The NSA gets hacked, the Department of Defense gets hacked.
Ryssdal: When things go wrong with your passwords, though, inevitably you wind up — unbeknownst to you — spamming the entire universe with some horrible thing. Is there no way to avoid that electronic walk of shame?
Purdy: Not really. It actually happened to a friend of mine, and they were sending out pitches to everybody, all their friends, former co-workers, people they once bought something from on Craigslist once, saying, ‘Hey do you want to buy this kind of electronics from this site in Taiwan?’ It took 10 minutes to recover the password, but it took three days to stop getting the reply emails.
Ryssdal: Kevin Purdy, he’s a contributing editor at one of those Gawker sites that got into trouble, Lifehacker. Kevin, thanks a lot. Good to talk to you.
Purdy: Thank you for having me.