Gawker hack analysis reveals weak passwords
Brute-force work by Michigan firm decrypts 200,000 Gawker account passwords in under an hour
Computerworld - The most popular password among nearly 400,000 exposed by the Gawker hack was "12345," according to an analysis done by a security firm.
In second place was the word "password" itself.
The most common passwords were uncovered by Duo Security, an Ann Arbor, Mich.-based two-factor authentication provider, after running John the Ripper (JtR), a password hash cracking tool, on the list of Gawker user passwords posted on the Web over the weekend.
On Sunday, Gawker, which operates several popular technology sites, including Gizmodo and Lifehacker, confirmed that its servers had been hacked, and that hundreds of thousands of registered users' e-mail addresses usernames and passwords had been accessed. A group calling itself "Gnosis" claimed credit for the attack and said it had pilfered more than 1.3 million accounts.
The top 25 passwords as ranked by Duo ranged from the absurdly easy-to-guess to the unintentionally hilarious, with "12345678" in third place, "monkey" in seventh, "letmein" in 10th, and "trustno1" -- a reference to the "Trust No One" expression popularized by the TV series The X-Files -- in 13th.
Using an eight-core Xeon-powered system, Duo Security brute-forced 400,000 password hashes of the 1.3 million stolen from Gawker, cracking the first 200,000 in under an hour.
That didn't come as a surprise to HD Moore, chief security officer at Rapid7.
"The DES crypt hash can be broken with ridiculous ease," said Moore in an e-mail reply to questions late Monday about the strength of the encryption used by Gawker to safeguard its users' passwords. "John the Ripper, along with most other tools, are well equipped to brute-force these."
Moore pointed out that the 56-bit DES (Data Encryption Standard) encryption used by Gawker had been broken more than a decade ago, when the Deep Crack machine built by the Electronic Frontier Foundation won a 1998 contest sponsored by RSA by breaking a DES key in just 56 hours. Six months later, EFF and Distributed.net collaborated to lower that time to just over 22 hours.
"These days, [graphics processor unit]-based cracking makes this even easier," noted Moore.
Duo Security uncovered other interesting tidbits during its analysis, including the fact that nearly all of the cracked passwords -- 99.45% -- were composed of alphanumeric characters only and did not contain any special characters or symbols.
Users are often urged to use special characters, such as the percent sign or ampersand symbol, and some enterprises require their employees to use the characters in self-set passwords.
Imperva noted that "123456" was the most common password in the collection posted on the Web by hackers, followed by "12345," "123456789," "password" and "iloveyou" (download PDF).
The ease with which Duo was able to decrypt hundreds of thousands of the leaked passwords lends credence to expectations that cybercriminals will do the same, then use the e-mail accounts, usernames and passwords to try to hack other accounts owned by the affected individuals.
On Monday, Andrew Storms, director of security operations at nCircle Security, said it was a sure bet that hackers would utilize the Gawker information, because many people reuse the same password for most of their e-mail and online accounts.
Storms was commenting on the news that some e-mail addresses revealed in the Gawker hack belonged to employees of federal, state and local governments, and that hackers would use the information in targeted attacks to gain access to agency networks.
Duo provided a clearer idea of the scope of the threat to governments, pointing out that 15 of the accounts for which it had cracked password encryption belonged to people working at NASA, nine were assigned to users employed by Congress, and six belonged to employees of the Department of Homeland Security.
Both Gawker and a host of security experts, including Moore, Storms and those at Duo, urged users whose Gawker accounts had been exposed to change their passwords for other sites or services if those passwords were the same or similar to the one associated with Gawker.
Moore provided Computerworld with steps users can take to determine whether their e-mail addresses were among those accessed in the Gawker hack. Since then, Duo Security has created a Web-based tool that users can run to see if they have been "Gawkered."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts