## Tuesday, July 19, 2011

Overnight the LulzSec folks announced that they had hacked into News International and defaced The Sun's web site with a story claiming that Rupert Murdoch was dead.

\$ echo -n "rebekah63000" | md5sum

62dd0bd92bf4fafae73c531ee5108c77 -

That's a simple and not uncommon scheme but the use of MD5 means that if they've got the complete password file they'll be able to attack the passwords very, very fast using something like John the Ripper.

But even more interesting is the fact that her password was 63000. At first I wondered if it might be a randomly generated default password, or something interesting on a phone keyboard, or something interesting in hex, but it's much worse than that.

63000 is the phone number of The Sun's tip line.

So, that looks like a text book case of how not to pick a password. It looks like the editor of The Sun picked a short (five character) password that consisted entirely of numbers and was a number with great personal significance: a public phone number associated with her paper.

Oops.

PS Of course, it's possible that she didn't pick the password and that someone set it for her. But whether it was her, or an administrator it's a stunningly bad password if this release by LulzSec is real.

Labels:

If you enjoyed this blog post, you might enjoy my travel book for people interested in science and technology: The Geek Atlas. Signed copies of The Geek Atlas are available.

Matthew Fedak said...

Hilarious, she has same password as me!

...oops

11:25 AM
Matthew Fedak said...

Hilarious, she has same password as me!

...oops!

11:26 AM