Thursday, December 16, 2010

Inside the Gawker hack: the .uk domains

The other day I talked about the Gawker hack and I thought it would be interesting to look a little deeper at the .uk domains that are in the file. There are 7,599 accounts with email addresses that have hash values suitable for attacking with John the Ripper.

I've now let it run for 24 hours and have cracked 2,512 of the accounts (which is 1/3). Here are some fun facts based on the cracked passwords.

1. There are two government accounts with Government Secure Intranet email addresses from the Crown Prosecution Service and The Charity Commission with very simple passwords. Plenty of schools and universities are represented, as is ACAS and Tesco. Plus a smattering of people from the NHS.

2. The top ten passwords are 123456, 12345678, password, liverpoo (note that the Gawker system truncates at 8 characters), letmein, arsenal, chelsea, starwars, daniel and qwerty. Clearly, football (Liverpool, Arsenal and Chelsea) are important when cracking UK-based passwords. Further down in the list the football theme continues with manchest, manunite and ronaldo.

3. The top ten domains by cracked password are,,,,,,,, and

4. Journalists seem to be quite bad at picking passwords. There are easily cracked passwords from senior figures (editors) at The Guardian, The Observer, The Times and The Daily Telegraph. Note to hacks: using the name of your paper as a password is probably a bad idea.

5. Worrying for individuals are people whose email address includes their full name (or they have a custom domain) and their password is a word that is likely significant to them. Since they probably think that password is safe they'll likely use it elsewhere. Real risk there of being able to attack those individuals.

6. There's a senior figure from the Liberal Democrats (not an MP) whose password is an easily guessed word.

Casting outside the .uk domains it's possible to find British companies like BP, British Telecom, HSBC, Shell, Barclays, BHP Billiton, Unilever, ... Many have easily cracked passwords.

System administrators would do well to check their own domains, as I did, to make sure their users are not exposed and do a bit of password security education.

PS Just in case you think I'm some kind of l33t h4x0r for this, bear in mind that password cracking tools are widely available on the Internet, the complete database is circulating widely and can be found via Google, and running JtR is not hard at all. No uber-skills required.

1 comment:

Francis Turner said...

If I'm in the gawker list my password for it will be password.

My password for any site that insists on an email and password to let me in but which doesn't require anything beyond that which is easy to lie about or publicly available (or both) is password.

If someone hacks my gawker (or other similar) account and posts spammy blog comments using it I don't see any downside to me. Nor do I see any reason why I should care that someone can guess that if my password to gawker is password then it may well be the same on numerous other sites.

If/when I need to enter serious identifying information and/or credit card details then I use rather more secure ones.