Skip Links

Gawker hack analysis reveals incredibly weak passwords

Brute-force work by Michigan firm decrypts 200,000 Gawker account passwords in under an hour

By Gregg Keizer, Computerworld
December 14, 2010 07:21 AM ET

Computerworld - The most popular password among nearly 400,000 exposed by the Gawker hack was "12345," according to an analysis done by a security firm.

Also read: What to do if your Gawker password was violated

In second place was the word "password" itself.

The most common passwords were uncovered by Duo Security , an Ann Arbor, Mich.-based two-factor authentication provider, after running John the Ripper (JtR), a password hash cracking tool, on the list of Gawker user passwords posted on the Web over the weekend.

On Sunday, Gawker, which operates several popular technology sites, including Gizmodo and Lifehacker, confirmed that its servers had been hacked , and that hundreds of thousands of registered users' e-mail addresses, usernames and passwords had been accessed. A group calling itself "Gnosis" claimed credit for the attack, and said it had pilfered more than 1.3 million accounts.

The top 25 passwords as ranked by Duo ranged from the absurdly easy-to-guess to the unintentionally hilarious, with "12345678" in third place, "monkey" in seventh, "letmein" in tenth, and "trustno1" -- a reference to the "Trust No One" expression popularized by the TV series "The X-Files" -- in thirteenth.

Duo Security brute-forced 400,000 password hashes of the 1.3 million stolen from Gawker with an eight-core Xeon-powered system, cracking the first 200,000 in under an hour.

That didn't come as a surprise to HD Moore, chief security officer at Rapid7.

"The DES crypt hash can be broken with ridiculous ease," said Moore in an e-mail reply to questions late Monday about the strength of the encryption used by Gawker to safeguard its users' passwords. "John the Ripper, along with most other tools, are well-equipped to brute-force these."

Moore pointed out that the 56-bit DES (Data Encryption Standard) encryption used by Gawker had been broken more than a decade ago, when the Deep Crack machine built by the Electronic Frontier Foundation (EFF) won a 1998 contest sponsored by RSA after breaking a DES key in just 56 hours. Six months later, EFF and distributed.net collaborated to lower that time to just over 22 hours.

"These days, [graphics processor unit]-based cracking makes this even easier," noted Moore.

Duo Security uncovered other interesting tidbits during its analysis, including the fact that nearly all of the cracked passwords -- 99.45% -- were composed of alphanumeric characters only, and did not contain any special characters or symbols.

Users are often urged to use special characters, such as the % or & symbols, and some enterprises require their employees to use the characters in self-set passwords.

Duo's analysis mirrored one done nearly two years ago by Imperva on a cache of 32 million unencrypted passwords disclosed after a hack of RockYou, a Facebook application developer.

Imperva noted that "123456" was the most common password in the collection posted on the Web by hackers, followed by "12345," "123456789," "password" and "iloveyou" ( download PDF ).

The ease with which Duo was able to decrypt hundreds of thousands of the leaked passwords lends credence to expectations that cybercriminals will do the same, then use the e-mail accounts, usernames and passwords to try to hack other accounts owned by the affected individuals.

Originally published on www.computerworld.com. Click here to read the original story.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News