Hacked Gawker passwords analysed

Darren Allan

December 14, 2010

We reported yesterday on the Gawker Media hack, whereby 1.3 million user names, email addresses and passwords were exposed.

While the passwords were encrypted, the security wasn’t particularly difficult to crack, as experts Duo Security proved when they ran the passwords through the cracking tool, John the Ripper.

Apparently there were 750,000 crackable password hashes, which in just an hour, Duo Security managed to crack 190,000 of (using an 8 core Xeon machine). Allowing the program to continue to run, the company ended up with nearly 400,000 full passwords, over half those contained in the database dump.

And the analysis of the passwords showed us some old chestnuts we’re familiar with from the RockYou security snafu, which saw 32 million passwords spilled back in January. Imperva determined that the most commonly used password by users in that case was the hugely sensible “123456”, followed by “12345”.

And surprise surprise, what was top of the Duo Security list in this particular spillage? “123456”. Followed by the marvellously original “password” (which was also relatively common in the RockYou leak), and then “12345678” – a slight variation on the counting theme.

The fourth most popular password was “qwerty” and then it was “abc123”. Some big films also featured in the top twenty, such as “let me in”, “superman” and “star wars”.

Only half a percent of the passwords cracked contained special characters (i.e. not alphanumeric).

While folks probably aren’t too bothered about an outsider gaining access to their Gawker account, it’s the practice of using the same password for every site which makes the leak most dangerous. The unauthorised user can then potentially gain access to juicier targets such as webmail or online bank accounts.






 

Comments in chronological order (1 comment)

  1. Idan Shoham says:

    It seems that major breaches like this are becoming quite common. What does that say about the security thinking among people operating the compromised system, and about the security thinking among end users?

    If you operate a major web site, a big security compromise like this can kill your business. Not investing enough time, money and infrastructure in security means putting your organization at risk of major harm, because of bad press, lost end users, lost advertisers, etc. This is a big deal.

    If you are a user whose password has been compromised, I guess it depends on how many other systems you sign into with the same ID/password and whether you care about compromise of any/every account that uses the same credentials. At a minimum, once you learn about a compromise like
    this, you should change your “standard, used for systems I don’t care much about” password everywhere.

Post a comment

Your email address will not be published. Required fields are marked *

Visited 3002 times, 1 so far today