As you may know, our tech team has been in the process of auditing the security of our site (and other Gawker Media sites) since hacker's broke into our system. One thing we've learned: Our authorization isn't terribly handy with non-ASCII characters.


Over at our newly minted Gawker Tech blog, Gawker Media CTO Tom Plunkett explains how passwords using non-ASCII characters (like © or Д) cause security problems. Essentially, on our backend (and potentially at some other sites across the internet), non-ASCII characters are interchangeable. An eagle-eyed reader noted that:

...after creating an account with the password 'ДДДДДДДД', I was able to successfully log in by typing '簡簡簡簡簡簡簡簡,' as well as 'ႤႤႤႤႤႤႤႤ', '©©©©©©©©'. It turns out that any string of exactly 8 characters whose unicode code point is >= 128 will be accepted.


So what does that mean for you?

It does not affect most of our users - If you are not using non-Latin characters for your password, there is nothing to do (see wikipedia for more information on the characters that are not affected - US-ASCII). If you do use characters that are non-Latin, you should reset your password to ensure it is updated to fully support these special characters.

Tom also notes that, to help address the problem, "when a person logs in with a non-ascii char in password, we prompt them to reset." Read up for more details over at Gawker Tech.