Keeping Your Password Safe From Incompetent Websites
This week, user accounts for every website in the gawker network were compromised, and passwords were stolen. Passwords were evidently readable in cleartext1, and have been used to hack into accounts on other services where the same password has been used.
Folks, this is why you should never use the same password for both websites like gawker and for your bank account (or your email account, or anything else you actually care about). I use supergenpass for exactly this purpose - it gives you a unique password for every domain, and you still only have to remember one password. And it’s not one of those lame password databases that require you to carry them around with you - you can use supergenpass on a public computer with no preparation.
If you’re extra paranoid (I am), you should use the python implementation - it’s open source, and written by my friend Matt (with some additional platform integration by myself): supergenpass-python. That way, your master password never even touches a browser.
Update: According to Joseph Bonneau, the passwords were indeed salted and hashed, so they were not in cleartext after all. But it was done with a poor implementation of DES, an encryption scheme that has been considered insecure for many uses for over a decade. This just further strengthens the point that even if a website is trying to do the right thing, a number of factors can very easily ruin those good intentions.
If you run any login service, do not store any passwords in cleartext. I have no idea why anyone would do this, and yet here we are. You don’t know how the websites you use store their passwords, so it’s always better to assume they are incompetent. Plus, cleartext passwords are not the only danger (a hacker with enough access could certainly modify the server to log passwords as each login request comes in).↩