The Wall Street Journal recently posted the top 50 passwords leaked from the Gawker website. Some of it is funny, including “trustno1” which for some reason, meant trusting Gawker with one’s username and password. Jeff Atwood had a good analysis about what one could learn from the hack. I mostly agree with it, but would like to add the following:
- I don’t *really* understand why sites like Gawker want to maintain user accounts. I understand it to the extent that you can improve the quality of discussions, but how much, and wouldn’t that end be better served by comment moderation. Most sites introduce friction by having user accounts. They would be better off by just making everything public.
- Using Open ID can be problematic for a variety of reasons, including lack of understanding about OpenID by non-technical users. See a nightmare scenario experienced by Rob Conery.
From the user’s perspective, you still have the problem of websites that force you to create a user account. One way to avoid the problem of contagion of password leak is to create throw-away usernames and passwords that are specific to the site, such as including the site’s name (such as “gawker”) in them. And then use the password-saving mechanism in your browser (or browser add-on) for those sites so that you don’t have to remember them.