by Daniel Peck, Research Scientist
Today any news/blog site remotely technical most likely has a blurb about about the recent Gawker media compromise. Most people are making a big deal out of the release of the password files, but honestly, there's not a lot to that part. These were clearly very low priority passwords for almost everyone using them. While there was probably some amount of password reuse between Gawker sites and the users' email addresses, the overlap is still relatively small.
But everyone loves a few stats, so here we go… Out of 188,281 passwords (this is from the parsed_db.txt file in the torrent floating around) the top passwords used are:
3057 – 123456
1955 – password
1119 – 12345678
661 – lifehack
418 – qwerty
333 – abc123
311 – 111111
300 – monkey
273 – consumer
253 – 12345
247 – letmein
241 – trustno1
233 – dragon
213 – baseball
208 – superman
202 – iloveyou
202 – 1234567
~50k of the accounts had a Gmail address, ~45k had a Yahoo address, and ~29k had a Hotmail account.
855 of the passwords contained one of George Carlin's 7 Dirty Words.
930 contained Love.
And honestly, I'm a bit surprised that that many people who comment on blog sites are into baseball enough to have it as a password.
The bigger story should be about how complete the compromise appears to be. All of the source code Gawker owns appears to have been released, and that is a very large piece of intellectual property out there for anyone to take apart. Not only does it allow others to find problems in the source code, but it also allows them to see what Gawker is planning for in the future, what capabilities they have but haven't unlocked, and of course allows any hacker worth his salt to find vulnerabilities in the code for future attacks. All around, this is not a good situation for any company to be in and will likely lead to a major code rewrite/audit in order to deal with this effectively.
So in light of recent events, now is as good of a time as any to share some good password advice:
1. Developers – Hash your passwords using salt. It seems (though, I haven't verified this yet) that this database was simply DESing the passwords without doing any sort of salt using a username/etc. This is bad since it means that a simple rainbow table can be looked up, and that collisions are much easier to come by.
2. Users – Don't use easy-to-guess passwords (if your password is in the Gawker list, that's bad.) An easy way to make a strong password is to start with an easy-to-remember phrase, like “The quick brown Fox jumped over the lazy Dog.” Then take the first letter from each word, like so – “TqbFjotlD”. Add in a number such as your age and you have a fairly strong password that's still easy for you to recall.
3. Users – Don't share passwords between sites. Instead, use the technique in item 2 to create a strong password “root” which you can reuse on sites by appending a special character such as @ and a two or three letter mnemonic for the site. For example, the above password root could be “TqbFjotlD32@GM” for Gmail, “TqbFjotlD32@HM” for a home computer, and even “TqbFjotlD32@GK” for Gawker media.
I'm sure we will be hearing more about the Gawker compromise over the next few days, and will keep you updated if anything interesting pops up.