So I've talked about it a few times in The Daily Trae, but I haven't really touched on what a major pain in the ass the Gawker hack has been in my life in a blog entry.
So this is me talking about it.
For those who don't know, the Gawker Blog Network (which includes Gizmodo, Gawker, Lifehacker, io9 and quite a few other blogs) had their user accounts get hacked this last weekend. My account (which I had created back when The Consumerist was a Gawker blog - which it isn't anymore) was one of those not only to have it's email address revealed but to also have my password decrypted.
So the world can now search for my email address, and find my old Gawker password.
The problem here is that many people (including myself) use the same password on multiple sites. The password I used on Gawker was an old one - but it was my throw away password. It was the password I used on sites I didn't care about for the most part, and that means... well... I used it all over the internet.
So I've spent the last three days digging up more and more sites that use that ancient password. It's one I came up with FIFTEEN YEARS AGO (hence it being insecure) so it's all over the f**king web. Honestly, I've gotten anything private or connected to a credit card changed (okay, just my Papa Johns account), but this is still a problem. There are sites I probably registered for ten years ago and haven't returned to where that ancient password is still on file... geh...
This is why I think we need to propose a new policy for websites. If a user hasn't logged into a site in say a year and a half, the account should lock and require the user to reset their password via email. Most sites have the reset mechanism alreadhy, and it would just take a scheduled task to locked unused accounts. That way, if that site gets hacked, hackers won't find a password for inactive users. Also, if another site gets hacked and my password gets stolen again, I only have to reset CURRENT accounts I have.
Why isn't this policy in place already?
I think I'm going to start this process on TRHOnline.com as a leading example of what websites should do. I know it's just a drop in an ocean, but hey... lead by example and all that.