Monday, December 13, 2010

Many of the Gawker passwords are easily cracked

This morning the hack of Gawker Media (including sites like LifeHacker and Gizmodo) is big news and I grabbed the torrent to make sure that no one in my office had been compromised. Happily there were no email addresses in that file.

But there were email addresses of people I know. I did a quick check by downloading all my email contacts as a CSV and then doing a grep.
$ cut -d, -f 15 contacts.csv | xargs -I % grep 
% real_release/database/full_db.log | wc -l

So, 17 people I know were in the list. The algorithm used to store the passwords is a DES hash which is quite readily attackable using John The Ripper. So I set it to work on the people I know. (At the same time I emailed them all to tell them).

Within seconds I had the passwords of 3 of the 17 (including the password of one well-known tech personality and one person who was using the password 'password') and within a few minutes another two. I didn't keep a record of the passwords.

If you use any of the Gawker sites change your password; if you use the same password on a different site: STOP NOW (and change all your passwords to something different).

PS I'd stay away from the Gawker sites for a while. The entire source code was compromised and so I expect hackers will be already reading the code looking for vulnerabilities and additional hacks me occur in the coming days.

As part of a hack a long list of compromised accounts was distributed. The top 15 passwords cracked are:
3057 123456
1955 password
1119 12345678
661 lifehack
418 qwerty
333 abc123
311 111111
300 monkey
273 consumer
253 12345
247 letmein
241 trustno1
233 dragon
213 baseball
208 superman

Please don't use simple passwords like this! Use a password manager like KeePass and generate random passwords for each site.

1 comment:

Pádraig Brady said...

I got a helpful email from someone who joined the Linux kernel commit logs and the compromised list.

I also notice that my twitter a/c has invalidated my (unique) password.
I wonder did they do that as a precaution?

BTW, your command runs grep over the full_db for each of your contacts. A more scalable approach would be something like:

cut -d, -f 15 contacts.csv | grep -F -f- full_db.log | wc -l


{ cut -d, -f 15 contacts.csv; cut ... full_db.log; } | sort | uniq -d