He had your password before your openID provider - which leads me to believe you typed your password somewhere that wasn’t secure. I don’t think you would have been duped by an XSS. I’m going to go with bad input sanitation. Javascript was inserted into a comment on an answer you wrote, and when you viewed your user page, he received your password.
Can I recommend LastPass:
https://lastpass.com/technology.php
Free, secure, machine and platform independent.
I’m gonna guess XSRF (somehow)
I bet you wrote it on a post-it note near your computer and your wife saw it! She totally stole your password! SHE IS RIGHT BEHIND YOU!
(OK, it was worth a shot.)
Just some guesses:
- NoWayInHell
- IHeartBunnies!
- this is my password
- Password1!
- deliciously-salty-
or his e-mail address …
@danimajo, lol thats funny
@jeff atwood, that sucks… but i understand what you mean. Some of my accounts online have very weak passwords, but as you have mentioned on podcast, who cares about hammocks.com ?? also, im just a lowly internet troll whereas you run a pretty successful online community, that might make a difference.
o yea, and as far as the password, orange +1
With SuperGenPass nobody has an excuse for lame passwords on any web account.
Use it!
I know it was goatse wasn’t it.
I would guess HenryBurton from the post a href=http://www.codinghorror.com/blog/archives/001242.htmlhttp://www.codinghorror.com/blog/archives/001242.html/a
I’ve seen the movie War Games way too many times 
Perhaps you comment on one of his blogs or use one of his services where you login and he knew a) you were Jeff Atwood and b) stores passwords as plaintext in his system rather than hashing them. Failing that, maybe you wrote something on twitter or something that gave him an idea. Anyway, you should use autogenerated passwords.
Also, one thing I love about this is that it shows OpenID for what it is, a bad idea and gaping security hole. You said yourself that you use a password you don’t care about to login to Stackoverflow. But the problem is, if you have several different passwords, an attacker needs to multiple attack vectors to totally take over your online identity rather than just your open id account that not only is the same password but the same username. As well, given that there are not that many Open ID providers, you don’t even have to know the particular provider (just try them all).
5t4ck0v3rfl0w
the most often used keyboard shortcut?
ctrlcv
thequickOrangefoxjumpedoverthelazydog
: )
I know nothing about security or hacking a site, but smart ass I’ve got covered pretty well. LOL
I don’t like OpenID and was disappointed that SO used it. Why not just stick to ordinary passwords, enforce complexity if you have to. OpenID is just more complexity when means more ways to fail.
The dictionary he used was all the words of this blog.
And the password might be in http://www.softexia.com/news.php?readmore=4219
5t4ck0v3rfl0w +1
(today I heard it spoken! I mean, orange!)
(funny how, when you fail to enter the word,
you can’t have it spoken again. Kafka was here)
fail
I’m curious - in what post did Jeff’s OpenID choice get disclosed? It happened a few days ago but I haven’t found it yet. Or maybe Jeff did some editing I didn’t notice.