We reported yesterday on the Gawker Media hack, whereby 1.3 million user names, email addresses and passwords were exposed.
While the passwords were encrypted, the security wasn’t particularly difficult to crack, as experts Duo Security proved when they ran the passwords through the cracking tool, John the Ripper.
Apparently there were 750,000 crackable password hashes, which in just an hour, Duo Security managed to crack 190,000 of (using an 8 core Xeon machine). Allowing the program to continue to run, the company ended up with nearly 400,000 full passwords, over half those contained in the database dump.
And the analysis of the passwords showed us some old chestnuts we’re familiar with from the RockYou security snafu, which saw 32 million passwords spilled back in January. Imperva determined that the most commonly used password by users in that case was the hugely sensible “123456”, followed by “12345”.
And surprise surprise, what was top of the Duo Security list in this particular spillage? “123456”. Followed by the marvellously original “password” (which was also relatively common in the RockYou leak), and then “12345678” – a slight variation on the counting theme.
The fourth most popular password was “qwerty” and then it was “abc123”. Some big films also featured in the top twenty, such as “let me in”, “superman” and “star wars”.
Only half a percent of the passwords cracked contained special characters (i.e. not alphanumeric).
While folks probably aren’t too bothered about an outsider gaining access to their Gawker account, it’s the practice of using the same password for every site which makes the leak most dangerous. The unauthorised user can then potentially gain access to juicier targets such as webmail or online bank accounts.