Many of the Gawker passwords are easily cracked
This morning the hack of Gawker Media (including sites like LifeHacker and Gizmodo) is big news and I grabbed the torrent to make sure that no one in my office had been compromised. Happily there were no causata.com email addresses in that file.
But there were email addresses of people I know. I did a quick check by downloading all my email contacts as a CSV and then doing a grep.
So, 17 people I know were in the list. The algorithm used to store the passwords is a DES hash which is quite readily attackable using John The Ripper. So I set it to work on the people I know. (At the same time I emailed them all to tell them).
Within seconds I had the passwords of 3 of the 17 (including the password of one well-known tech personality and one person who was using the password 'password') and within a few minutes another two. I didn't keep a record of the passwords.
If you use any of the Gawker sites change your password; if you use the same password on a different site: STOP NOW (and change all your passwords to something different).
PS I'd stay away from the Gawker sites for a while. The entire source code was compromised and so I expect hackers will be already reading the code looking for vulnerabilities and additional hacks me occur in the coming days.
As part of a hack a long list of compromised accounts was distributed. The top 15 passwords cracked are:
Please don't use simple passwords like this! Use a password manager like KeePass and generate random passwords for each site.
But there were email addresses of people I know. I did a quick check by downloading all my email contacts as a CSV and then doing a grep.
$ cut -d, -f 15 contacts.csv | xargs -I % grep % real_release/database/full_db.log | wc -l 17
So, 17 people I know were in the list. The algorithm used to store the passwords is a DES hash which is quite readily attackable using John The Ripper. So I set it to work on the people I know. (At the same time I emailed them all to tell them).
Within seconds I had the passwords of 3 of the 17 (including the password of one well-known tech personality and one person who was using the password 'password') and within a few minutes another two. I didn't keep a record of the passwords.
If you use any of the Gawker sites change your password; if you use the same password on a different site: STOP NOW (and change all your passwords to something different).
PS I'd stay away from the Gawker sites for a while. The entire source code was compromised and so I expect hackers will be already reading the code looking for vulnerabilities and additional hacks me occur in the coming days.
As part of a hack a long list of compromised accounts was distributed. The top 15 passwords cracked are:
3057 123456 1955 password 1119 12345678 661 lifehack 418 qwerty 333 abc123 311 111111 300 monkey 273 consumer 253 12345 247 letmein 241 trustno1 233 dragon 213 baseball 208 superman
Please don't use simple passwords like this! Use a password manager like KeePass and generate random passwords for each site.
Labels: security
If you enjoyed this blog post, you might enjoy my travel book for people interested in science and technology: The Geek Atlas. Signed copies of The Geek Atlas are available. Looking for a new job? Try UseTheSource.
1 Comments:
I got a helpful email from someone who joined the Linux kernel commit logs and the compromised list.
I also notice that my twitter a/c has invalidated my (unique) password.
I wonder did they do that as a precaution?
BTW, your command runs grep over the full_db for each of your contacts. A more scalable approach would be something like:
cut -d, -f 15 contacts.csv | grep -F -f- full_db.log | wc -l
or
{ cut -d, -f 15 contacts.csv; cut ... full_db.log; } | sort | uniq -d
Post a Comment
Links to this post:
Create a Link
<< Home