Mine is not there, but how can assert that there are reasonable chances that it did not get cracked.
I don't want to get paranoïd and I see no point in changing my password to minor services unless there is a really good chance that it got compromized.
The "strong" versus "weak" message that some password checking services provide tells me nothing very usefull because what is weak when you focus a cluster of CPU for a week on may be "strong" for those who use the Gawker leak and don't have (I guess) such ressources.
Well those gauges are set by whomever sets them up, but they're almost always based on the same basic idea. Passwords that are mixed case, more than 8 characters and include non dictionary words, symbols and numbers are always going to be stronger than those who have only some of these. That is because that a majority of password attacks use either dictionaries (ala John the Ripper), which build multi-million word entries based on common phrases and misspellings of those words, or rainbow tables, which are themselves generally created with the same dictionaries, and have the resulting hash compared against the existing hash o the unknown password.
As noted many times before, one of the biggest issues of the gawker passwords leak is that they were using des encryption. This truncated all passwords to 8 characters, which made it even easier to brute force the passwords, as
exampleexample123 and examplee are treated exactly the same.
Thank you both for your answers! I wasnt being sarcastic at all, my poor brain didn't seem prepare to spot a Fibonacci sequence in a list of "Top Gawker passwords" .
My favourite thing about this is how those 70 users must have been feeling quite smug and superior about how they chose their password, without realising 69 others had done exactly the same thing.
A little anecdote about feeling smug and superior: During that facebook meme last week where everyone was posting numbers and replying with a comment about whichever friend sent them said number, a friend posted the sequence. I called it out for what it was, and he replies "I figured of all people it'd be you who would catch that".
I felt pretty good after that. Why I can't tell you but I did.
It's like the people who think they're displaying their above-average understanding of probability by choosing 1, 2, 3, 4, 5, and 6 for their lottery numbers. It will be a very happy then a very sad day for a lot of people if those numbers ever hit!
They used to own consumerist.com and I guess these people chose the password consumerist and because the Gawker system silently truncates at 8 characters they got consumer.
> the Gawker system silently truncates at 8 characters they got consumer.
I had forgotten that part of the whole sorry story. Reminds me of the uni I attended, (Sussex) where not only were passwords truncated, there was in fact a max length policy of 8 chars. This was across their entire campus network, and all intranet apps. Yeah, my degree ain't worth much.
My university had the same max length policy. The reason is that a few ancient legacy systems couldn't handle longer passwords and they wanted to make sure that your password could be used on all systems.
My instinct in this scenario would be to use Bcrypt on the new systems, and then try and find some other hash function that came out to 8 chars for use on the legacy systems.
Can anyone with more experience point out whether I am in any way on the right track here?
EDIT: hmmm, the storage of the passwords as 8-char weak hashes would render the more secure hash function used on the modern systems irrelevant. Maybe use the output of the strong hash as the input of the weak hash? Would this be secure?
Truncation to 8 characters is an entropy killer; limiting the range of characters by using the truncated strong hash as the input will reduce it further. In a weak system, you're more likely to find a collision that will effectively substitute for the original password. For two such systems to coexist, you'd need to enforce the use of passwords greater than 8 characters to prevent a crack on the weak system from working on the stronger one.
Surely that wouldn't be misunderstanding the purpose though; things can have multiple purposes, I.E. the wolf skin can make you warm and also be symbolic, each are equally important in the human's mind.
I'm supposing that these are already in libcrack. Anyone know for certain?
Anyone have experiences integrating libcrack into their web app? I hesitate to integrate it because it would cause potential clients to quit the signup.
Alternatively, I think this list would be invaluable as a smaller blacklist. Thanks!
IIRC, libcrack will happily use any wordlist you give it. I presume the default wordlist includes "password", yes.
As to integrating libcrack in your signup process: if an account at your site isn't actually important, I'm sad to say that you probably shouldn't bother. People who reuse passwords are, sadly, at much more risk from the other sites (if you're even aware of libcrack, you're well ahead of the curve); and a password like 'password' isn't all that bad for something as value-less as gawker.
I think more than four thousand people are not dumb enough to set '123456' or 'password' as their password. I assume that a good percentage of that would for throwaway accounts and the users would be aware of the implications.
If i want to post a comment on a lifehacker blog post, there is a decent chance that i give some random string and 123456 as the username and password. This is the case when i know that i won't be using it again. True that an email is associated with the login credentials but still this might be true for many of those passwords.
I'm not sure people don't do that. Certainly, gawker isn't very valuable, but e.g. Myspace data (analysed at e.g. http://www.schneier.com/essay-144.html, money quote: "The most common password, 'password1,' was used in 0.22 percent of all accounts". I'm sure you can find the original file if you look hard enough) suggests that weak passwords are still quite common at presumably-valuable sites.
Yup, I think one of those "password"s is mine. I truly couldn't care less about the security of my Gawker account. If they eliminated the password field entirely and just let people type whatever username they want, it'd be fine with me.
Why would anyone put a limit -- especially such a short one -- on password length? Please don't tell me it's because they want to store them as char(8).
The DES hashing function that Gawker used/uses has an 8 character limit, so even if you chose a longer password it would get truncated to 8 characters on the server.
This suggests that some users might have had very strong passwords ("butterflyzrfr33!") that were truncated into weak prefixes ("butterfl"). I'll need to rethink my approach to passphrases to make sure they're "frontloaded" with stronger combinations in the first few characters. Like most people, I'm sure, I tend to tag these on to the end.
Is there an easy way for me to decrypt what password Gawker had for me? I was unable to login with my account for over a year, but I'd like to see what password they have on file for me so I know whether I need to change it elsewhere.
I realize asking this also is asking for an instruction manual for malice with whatever is decrypted. I just don't know how to determine how exposed my email address leaves me.
If you have the database dump from Gawker, you can search for either your associated Email address, or the username they had on record. Extract that line from the file, put it in a new text file and run John The Ripper[1] on it: "./john mypassword.txt". On consumer hardware, it may take a while, but you'll eventually get it. My 2 year old 2.00GHz iMac took about 36 hours to crack my password.
If you'd like, email me and I can try to retrieve your password hash based on your email address. My email is in my profile.
I saw this one and at first I thought it would be a good password. Then I realized the pattern on the keyboard. I was thinking the other day, would there be any need to make a password crack program that focused more on patterns on the keyboard instead of vocabulary. xlsow02 uses the ring finger on each hand to type out what should score a strong rating on most password checkers yet is a simple human pattern for easy memorization.
I did a brief freelance gig not too long ago for a company that used a single password for all CMS & site admin user accounts, as well as for the database server and the ftp login to the production server.
edit: Amusingly, lifehack was the only password in our top100 missing from the linked top250. Given more time I am assuming lifehack would have dropped out during Duo's crack as a popular password since it is 8 characters and lower case.
I´m more concerned with the fact that it only stores the first eight characters. Does anyone know if this is common? I often use very long password strings that begin with something simple... like I may use the first line of a song (e.g. myformerhopesarefledmyterrornowbegins). I figured that it was exponentially harder to crack a longer password so I never bothered with diverse characters and capitalization.
49 comments
[ 3.4 ms ] story [ 105 ms ] threadI don't want to get paranoïd and I see no point in changing my password to minor services unless there is a really good chance that it got compromized.
The "strong" versus "weak" message that some password checking services provide tells me nothing very usefull because what is weak when you focus a cluster of CPU for a week on may be "strong" for those who use the Gawker leak and don't have (I guess) such ressources.
by using different passwords in each site ?
you can't be sure, it's just a matter of time and desire, I have the time and resources, for instance, but no desire.
As noted many times before, one of the biggest issues of the gawker passwords leak is that they were using des encryption. This truncated all passwords to 8 characters, which made it even easier to brute force the passwords, as exampleexample123 and examplee are treated exactly the same.
I am curious is there a particular reason behind the fact that 70 people choosed that number for their password?
This number seems completely random to me so I dont understand the how and the why.
[1] http://en.wikipedia.org/wiki/Fibonacci_sequence
I felt pretty good after that. Why I can't tell you but I did.
If you still don't know, try searching for it on this wonderful resource: http://oeis.org/
Who self identifies with that horrible term so closely that they would use it as their password?
A lot more people than I thought evidently.
I had forgotten that part of the whole sorry story. Reminds me of the uni I attended, (Sussex) where not only were passwords truncated, there was in fact a max length policy of 8 chars. This was across their entire campus network, and all intranet apps. Yeah, my degree ain't worth much.
Can anyone with more experience point out whether I am in any way on the right track here?
EDIT: hmmm, the storage of the passwords as 8-char weak hashes would render the more secure hash function used on the modern systems irrelevant. Maybe use the output of the strong hash as the input of the weak hash? Would this be secure?
Thank god the safe best-practices are clear and simple in the majority of cases.
EDIT: in case anyone reading this is wondering, the safe best-practice is to USE BCRYPT.
http://codahale.com/how-to-safely-store-a-password/
Anyone have experiences integrating libcrack into their web app? I hesitate to integrate it because it would cause potential clients to quit the signup.
Alternatively, I think this list would be invaluable as a smaller blacklist. Thanks!
As to integrating libcrack in your signup process: if an account at your site isn't actually important, I'm sad to say that you probably shouldn't bother. People who reuse passwords are, sadly, at much more risk from the other sites (if you're even aware of libcrack, you're well ahead of the curve); and a password like 'password' isn't all that bad for something as value-less as gawker.
If i want to post a comment on a lifehacker blog post, there is a decent chance that i give some random string and 123456 as the username and password. This is the case when i know that i won't be using it again. True that an email is associated with the login credentials but still this might be true for many of those passwords.
Why would anyone put a limit -- especially such a short one -- on password length? Please don't tell me it's because they want to store them as char(8).
-"starwars": 256; "startrek": 88
-"sunshine" barely beat out "shadow" 266-255
-"trustno1": 307 was pretty surprising (it's a reference to the x-files)
-"superman": 297; "batman": 159; "spiderma": 108
I realize asking this also is asking for an instruction manual for malice with whatever is decrypted. I just don't know how to determine how exposed my email address leaves me.
If you'd like, email me and I can try to retrieve your password hash based on your email address. My email is in my profile.
I saw this one and at first I thought it would be a good password. Then I realized the pattern on the keyboard. I was thinking the other day, would there be any need to make a password crack program that focused more on patterns on the keyboard instead of vocabulary. xlsow02 uses the ring finger on each hand to type out what should score a strong rating on most password checkers yet is a simple human pattern for easy memorization.
It's one of the top 10 passwords on that list.
For instance, our #4 was lifehack with 861 results. We also came up with different counts.
It is probably worth comparing our methodologies and results: http://intrepidusgroup.com/insight/2010/12/gawker-des-crypt-... if you are interested in this.
edit: Amusingly, lifehack was the only password in our top100 missing from the linked top250. Given more time I am assuming lifehack would have dropped out during Duo's crack as a popular password since it is 8 characters and lower case.
Jeremy