Thursday, December 23, 2010

What I learnt from the Gawker hack

Over the years I've gradually increased my online security through better passwords, using SSH, VPNs, SSL, always have up to date anti-virus, using up to date software, and not using strange computers, typing in random junk for 'security questions', etc. Even with all that I'm paranoid about online security.

But what I've learnt from the Gawker hack and breaking people's passwords is that lots of people aren't. In fact, even well-known people who should know better pick bad passwords. A lot of the passwords I've seen are so poor that hackers are likely to be able to break the passwords of well-known people just by guessing. It's no wonder that people like Sarah Palin get hacked

For example, I looked at the passwords of journalists (senior editors or high-profile technology writers). Many of these were single words all in lowercase. I saw a mixture of using the name of the publication they were writing for or the name of a family member.

This sort of poor security means that hacks like the Gawker one are completely unnecessary. Hackers can just sit back and guess a password based on a little research.

In other cases, the passwords were just a single English word written in lowercase. To defend against people guessing those words many sites prevent too many log ins with the wrong password. But there's a flaw in that: since many people use the same password across multiple sites a smart hacker can try out guesses on different sites flying below the radar.

For example, there are users who had the same password on Gawker, Twitter, Facebook, etc. Suppose your target's password is in the top 3,000 words in English (scrubbed of words longer than 8 and less than 6 characters). Now suppose you know they have accounts on 6 sites. Picking randomly from the list you'd expect to get their password in 1,500 guesses or 250 per site.

If you allowed yourself three guesses per site per day it would take 80 days to crack their password. Of course, the more sites the person uses the same password on the quicker it's crackable. And any site that allows many guesses would make the process even quicker.

That's yet another reason to use different passwords, and don't use something that a hacker can find out with a simple Google search.

1 comment:

WoJ said...

That's yet another reason to use different passwords, and don't use something that a hacker can find out with a simple Google search.

... enters! :)

I do no have any affiliation with but it is so good and features so many goodies that it should be checked out by anyone even slightly concerned about online security.

There are other products which are fine (notably keypass) but my personal opinion is that lastpass just rocks.