Linux experts are crap at passwords!

Remember the Gentoo data breach story last week?

Someone broke into the Linux distro’s GitHub repository, took it over completely by kicking out all the Gentoo developers, infected the source code by implanting malicious commands (rm ‑rf) all over the place, added a racist slur, and generally brought a week of woe to the world of Gentoo.

In case you’re wondering, rm ‑rf is Unix/Linux system command language for remove files (rm) recursively (‑r), which means “including any subdirectories”, and forcibly (‑f), which means that the user won’t see any warnings or prompts. The Windows equivalent is DEL /S /F /Q, a command you often regret almost immediately after you hit [Enter].

Fortunately, Gentoo’s GitHub repository wasn’t the primary source for Gentoo code, and few, if any, Gentoo users were relying on it for software updates.


Other good news is that the stolen GitHub account is back under Gentoo’s control now; the hacked files have all been identified and removed; and Gentoo has learned (and, at the same time, taught the rest of us) three main lessons.

Lesson 1. A prompt notification goes a long way.

At first, Gentoo knew merely that something bad had happened – it was locked out of its own GitHub account, which was a bit of a giveaway – but not how or why.

Nevertheless, the organisation didn’t beat around the bush in preparing a breach notification message, and it didn’t waste time trying to work a marketing spin into its initial report.

As a result, the issue got widespread attention and community help right away.

Many commercial organisations could learn from this – trying to disguise bad news as if it were nothing of the sort often ends up sounding confusing at best, and devious at worst.

Lesson 2. Pick a proper password.

Gentoo’s final summary of the incident says:

The attacker gained access to a password of an organization administrator. Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated webpages.

In other words, the user whose password was guessed had fallen into the trap of using different but nevertheless obviously related passwords on multiple sites.

It’s an easy thing to do – pick a core password (for example, pASS\/\/orD) and then use some easily-derived additional text each time you need a new password, for example like this:


Technically, this means you are complying with the rule that says, “One site, one password – never use the same password on different sites.”

But if I were to figure out, or even just to guess, that -Y! in the last password was meant to denote Yahoo!, it would be an easy jump to try suffixes like -FB, -TW and -G+ for Facebook, Twitter and Google Plus respectively.

Don’t use a core password with tweaks or suffixes for each site – the crooks will figure out your pattern sooner or later.

Use a password manager and let it choose a totally different password for each site.

3. 2FA is your friend.

Apparently, Gentoo didn’t insist on two-factor authentication (2FA) before the breach.

It does now!

2FA, also known as two-step verification, usually means you have to put in your regular username and password and then follow it up by typing in a one-time code that works only for the session you are trying to set up.

Those one-time codes generally come either from an app on your phone, or via an SMS or other text message sent by the service provider.

2FA isn’t perfect, but it does make things harder for the crooks, because they can’t just steal or guess your password – they typically need your phone (and its unlock code), too.

What to do?

The Gentoo breach turned out to have a root cause that wasn’t about malware attacks, phishing emails, social engineering calls, exploits, zero-days, or any other technological trickery.

This story is a straightforward reminder that cybersecurity basics matter – and that making it very slightly less convenient for legitimate users to login every time makes it very much harder for crooks to login at any time.

If you’re asked to trade a tiny bit of personal convenience for a lot of extra cybersecurity for your company…

…take one for the team!