I don't support the crackers here, but I do have to admit to a little schadenfreude at seeing Gawker get taken down a peg. Not only are they a worthless tabloid, but they're dicks about it, too.
Thousands of people still use "password" as their password.
It would be great for people if tools like 1Password were more prevalent, even built in to browsers. It becomes trivial both to create and maintain an unlimited number of secure passwords.
Screenshot from Quantcast showing 409M page views, 31.4M visitors a month in aggregate for all Gawker Media properties
"My job was to write twelve posts a day about 'media gossip,' which meant anything unpleasant or otherwise intriguing about anyone who had power in any Manhattan culture industry. There had to be enough posts so that whoever was sitting at my old desk at the publishing house, and everyone in Manhattan like her, could read something new when boredom struck."
Excerpt from book by Emily Gould, ex-Gawker, infamous blogger
is this a joke or what? I never do understand gawker.
They were making incredibly stupid mistakes while convincing people they were a responsible and knowledgeable. I was hearing their bullshit on NPR like it was tech gospel.
Now they are exposed for the frauds they are.
They ARE a news organization, however. And they get it right more often than not. Which is why people read them. Do those people (who honestly suffered more due to this hack than Gawker ever will) deserve this? No.
They aren't frauds; they're provocative. There's a difference. They weren't claiming to be tech gods. And to trash them as "frauds" for their weak security is like trashing an athlete for not being a good writer. There are two different standards here.
And do you know how many newspapers make stupid mistakes? A lot of them. Gawker has a staff the tenth of the size of your average national newspaper yet pulls in a similar number of viewers. Making stupid mistakes comes with the territory with journalism. Even the big boys screw up.
Dislike Gawker because they're arrogant. Don't read them if you think they are. Don't suggest they're "frauds" though.
Unrelatedly, does HN HMAC?
Short answer: the acceptable password hashes are bcrypt, scrypt, or PBKDF2. In all likelihood, anything that isn't one of those three gets you in the news for losing passwords when your site gets hacked.
HMAC is a construction that takes a hash (like SHA1), data, and a secret key (like "ff79f2fbe108a68c34a66004058fcfdb988dbc43") and applies the hash twice, each with a special tweak, to create a digest that only someone who knows the key can recreate from the same data. It's how two parties who share a key can prove to each other that their messages haven't been tampered with.
Hash+salt is a construction that takes a hash (like SHA1), a password (like "gobears") and a random public value (like "$4jdle$") and creates a password hash out of it that can't be precomputed.
People do (ab)use HMAC as a password hash. Those people should know that HMAC is as easy to precompute as naked SHA1 is; you can "rainbow-table" HMAC. People who have misunderstood HMAC tend to stick up for it by saying "yeah, but people will have to find my secret key first", to which a response that ends that silly argument is "once they get your key, they can attack all your hashes in parallel and that's bad".
All of these schemes are demonstrably inferior to any adaptive hashing scheme, like bcrypt or scrypt or PBKDF2, all of which can be tuned so that a single password attempt takes 500ms (or any other time); they in effect require password crackers to complete a "proof of work" that can't be sped up without a breakthrough in cryptanalysis.
Some day, and that day may never come, I'll call upon you to explain cellular respiration to me.