Over the weekend, servers belonging to Gawker Media were compromised, and the usernames, email addresses and passwords for commenters on a number of popular sites (Lifehacker, Gizmodo, io9 etc) were posted. publicly. Although the passwords were encrypted, brute-forcing simple passwords once you have access to the password database is often a fairly simple task. As proof of this, spammers have already launched an Acai Berry spam run on Twitter by simply using usernames and passwords stolen from the Gawker databases to log in on Twitter. In a large number of cases, they seem to have succeeded. We can also expect spammers and phishers to start targeting the compromised email addresses shortly: I've already had email from one Web 2.0 startup "helpfully" letting me know about the Gawker fiasco: it's a judgment call whether that's good neighborliness or borderline spam.

So now seems a good time to say that your password practices suck. Whatever you're doing with passwords sucks, whether you're an end user or a website designer. And I can tell you this because mine suck too.

I know that mine suck because reviewing my own passwords in the wake of the Gawker snafu revealed that I'd been using a small number of username/password combinations across a wide range of sites. In fact, it's only because the Gawker hack occurred yesterday rather than a few months ago that my Twitter account isn't currently blasting my friends with Acai Berry spam. Yes, until quite recently I used to use the same crappy password for my Twitter account that I used for a bunch of other accounts. Mea culpa, mea maxima culpa.

But don't start getting too smug. Your password practices suck too. I know this because I've been investigating the Hotmail hijacks (which are also Gmail hijacks), and asking questions of the victims. Lots of otherwise security-conscious people have admitted to using trivially weak passwords, or to using the same password for their webmail account that they use for Facebook or other social services. That kind of behavior, of course, is a gift to hackers: all they need to do is successfully phish or sniff your Facebook password and they have access to your webmail as well. Once hackers have access to your webmail, a whole host of interesting possibilities opens up to them, including resetting your password on other services such as online banking or domain name registration. Still think it was a good idea to use the same password for Facebook and email?

Lastly, web designers and developers: your practices suck too. I know this because I've been doing a security check and changing my weaker passwords for stronger ones. A few sites make this easy. Some make it extremely difficult. Some make it actually impossible. Moreover, every site does it a different way, so figuring out how to change your password is a kind of extended guessing game. On one site you may have to click your login name; on another, you may have to look for a link marked 'Profile', or a tiny down-arrow that triggers a drop-down menu. Or you might have to sign in on a comment thread and then click your username because there's no sign-in/my account link anywhere else on the site (BoingBoing, I'm looking at you). The link you need may be in the header. Or the footer. It may be called 'Profile'. Or 'Settings'. Or 'Preferences'. Or 'My Account'. The actual password form may be one level deep. Or two. Or it may just not be there at all (MacWorld). Or the process for changing it may simply be broken because no one thought to test it after the last deploy (DealNews). It may allow you to type anything you want, or it may restrict you to letters and numbers, or impose a length limit on your password (way to make a hacker's job easier, eh guys?)

If you're an end user, check your passwords now. If you're using weak passwords or you're using the same password in a bunch of places, change them. It is only a matter of time before you either give away your own password to a particularly cunning phish or before a popular system like Gawker gets compromised. When that happens, the best you can hope for is that your online identity will be exploited by spammers. Using strong passwords and having distinct passwords for each key system is your only hope of limiting the damage.

If you're a web developer, you need to figure out the current best practice for giving users access to a password change form, because currently everyone seems to be doing it a different way. It's not clear what user expectations are in this respect. My feeling is that users probably expect to see their username somewhere in the upper right of the page, and that their username or something very nearby should be a link to a 'profile' page that includes a prominent 'Change Password' link. I'd also recommend making the password form be a form in its own right, not just a subsection of some larger set of user details. Finally, don't restrict users to six or eight characters, and do let them use a full range of characters. Imposing limitations just helps the hackers.

Current password practices suck. Make sure yours don't.