Using Gravatars may expose your email address

rob
rob
edited August 2013 in Lounge

For those who guard their email address with their life, you might not want to be using a Gravatar. Our resident expert Jeffrey Goldberg explains why:

The image tags for individuals avatars contain a Gravatar ID that is sent to Gravator whether or not an individual uses Gravatar (after all, there is no way to know beforehand if someone does have a Gravatar ID).

Anyway, the ID is in something like http://www.gravatar.com/avatar.php?gravatar_id=71778e2933aea1d0de7be59456b8633a&size=100&default=http%3A%2F%2Fvanillicon.com%2F71778e2933aea1d0de7be59456b8633a.png

The string 71778e2933aea1d0de7be59456b8633a is fully readable in the source and is just the hash of the email address someone used to register with our forum. In this case, it is the hash of jeff@agilebits.com.

Because email addresses have very definite patterns, it is fairly easy to run a password cracker to reverse the hash. This was all described in a talk at PasswordsCon, and was reported in an article by Dan Goodin

Fortunately, it's not the end of the world. If you'd like to not use a Gravatar on this forum, all you have to do is go to your profile settings here and upload your own picture. If you don't want to post a picture of your face, try a Google image search for your favorite animal.

Happy smiling!

This discussion has been closed.