Tuesday, July 19, 2011

Choosing a bad password, the Rebekah Wade way.

Overnight the LulzSec folks announced that they had hacked into News International and defaced The Sun's web site with a story claiming that Rupert Murdoch was dead.

Twitter user and LulzSec member AnonymouSabu also announced that they had access to usernames and passwords and posted a couple, including one belonging to Rebekah Wade. There they show the password hash, tell you that the salt used is the username 'rebekah' and that her password was 63000.

First, it's easy to verify that the password hashing scheme is md5(username . password):
$ echo -n "rebekah63000" | md5sum 

62dd0bd92bf4fafae73c531ee5108c77 -
That's a simple and not uncommon scheme but the use of MD5 means that if they've got the complete password file they'll be able to attack the passwords very, very fast using something like John the Ripper.

But even more interesting is the fact that her password was 63000. At first I wondered if it might be a randomly generated default password, or something interesting on a phone keyboard, or something interesting in hex, but it's much worse than that.

63000 is the phone number of The Sun's tip line.

So, that looks like a text book case of how not to pick a password. It looks like the editor of The Sun picked a short (five character) password that consisted entirely of numbers and was a number with great personal significance: a public phone number associated with her paper.


PS Of course, it's possible that she didn't pick the password and that someone set it for her. But whether it was her, or an administrator it's a stunningly bad password if this release by LulzSec is real.


Matthew Fedak said...

Hilarious, she has same password as me!


Matthew Fedak said...

Hilarious, she has same password as me!