UPDATE 1: We've updated our analysis with approximately 200k additional cracked passwords.
UPDATE 2: We've launched a site that allows you to easily check if your username or email address was included in the Gawker password dump:http://didigetgawkered.com
UPDATE 3: Due to popular demand, we've posted the top 250 most common cracked passwords.
If you haven't heard yet, the Gawker Media network, which includes popular websites such as Lifehacker, Gizmodo, Jezebel, io9, Jalopnik, Kotaku, Deadspin, Fleshbot, and of course Gawker, was compromised yesterday. The hacker group Gnosis posted a torrent containing a full dump of Gawker's source code as well as the entire user database consisting of ~1.3 million usernames, email addresses, and DES-based crypt(3) password hashes. While this dump is not nearly on the scale of the RockYou incident, it is certainly a serious exposure.
As a two-factor authentication provider, situations like the Gawker hack are key illustrations of why strong auth is a necessity. While users may not care about an attacker having access to their Gawker account, the danger of password sharing across websites and services poses a much bigger threat. Services that lack a strong secondary authentication and host users who are sharing passwords (which, let's be honest, most users probably do) face the greatest risk. Attackers will undoubtedly be testing the cracked passwords against both personal and corporate services such as email accounts, online banking sites, VPN remote access logins.
As it's not very often that we get a glimpse into the human psychology of password selection, let's dig deeper into the password dump!
John the Ripper
The defacto tool for cracking password hashes is John the Ripper (also known as JtR), written by Solar Designer. If possible, I'd highly recommend using the available patches for JtR, allowing the parallelization of the cracking process using OpenMP. I ran our cracking session on a 8-core Xeon box:
b0x ~ # uname -a Linux b0x 2.6.36-gentoo Sat Dec 4 20:11:03 EST 2010 x86_64 Intel(R) Xeon(R) CPU X5460 @ 3.16GHz GenuineIntel GNU/Linux
This puppy can crank out a decent number of cracks/second:
b0x ~ # john -test Benchmarking: Traditional DES [128/128 BS SSE2-16]... DONE Many salts: 20465K c/s real, 2562K c/s virtual Only one salt: 16003K c/s real, 1999K c/s virtual
I'd also recommend using a comprehensive wordlist to assist in the cracking process. I compiled a wordlist of ~1.9M entries from a number of different sources (including datasets from Openwall and Skull Security):
b0x ~ # wc -l wordlist.txt 18966068 wordlist.txt
Before getting started, we filtered the ~1.3M entires in the database dump down to ~748k crackable password hashes:
Loaded 748039 password hashes with 3844 different salts (Traditional DES [128/128 BS SSE2-16])
In just under an hour of cracking on a single 8-core machine, we had successfully cracked 190k passwords. Allowing JtR to continue to run yielded an additional 200k cracked passwords, resulting in a total of almost 400k cracked passwords representing over 50% of the total password hashes:
b0x ~ # wc -l output.txt 399380 output.txt
As with any password dump, one of the most interesting outcomes is the most popular/common passwords chosen by users. The top 25 most common passwords from our cracking results were:
2516 123456 2188 password 1205 12345678 696 qwerty 498 abc123 459 12345 441 monkey 413 111111 385 consumer 376 letmein 351 1234 318 dragon 307 trustno1 303 baseball 302 gizmodo 300 whatever 297 superman 276 1234567 266 sunshine 266 iloveyou 262 fuckyou 256 starwars 255 shadow 241 princess 234 cheese
The vast majority (99.45%) of the cracked passwords were alphanumeric and did not contain any special characters or symbols:
b0x ~ # cat pws.txt | egrep "^[a-zA-Z0-9]+$" | wc -l 397198
Of the passwords that were alphanumeric, about 61% were composed of strictly lowercase alphabetic characters, 9% were strictly numeric, less than 1% were strictly uppercase alphabetic characters, and the rest were mixed alphanumeric:
b0x ~ # cat pws.txt | egrep "^[a-z]+$" | wc -l 241208 b0x ~ # cat pws.txt | egrep "^[0-9]+$" | wc -l 34703 b0x ~ # cat pws.txt | egrep "^[A-Z]+$" | wc -l 2868
One interesting property of the dataset is that there are a large number of unique passwords. There are a total of 202k unique passwords in the set of 400k cracked passwords. Of those unique passwords, approximately 155k (77%) are used by only a single user (eg. they've selected a password that no one else has). Similarly, 24k (12%) are passwords that are shared by only two users and 8k (4%) are shared by only three users. The occurrence of unique passwords observed here will surely decrease as the more passwords are cracked by JtR and the odds of collisions between users increases.
Besides the cracked passwords, we can also take a look at the email addresses contained in the database dump. The top 25 most common email domains are as follows:
173942 gmail.com 101959 yahoo.com 72847 hotmail.com 20551 aol.com 8106 comcast.net 6078 msn.com 5835 mac.com 4341 sbcglobal.net 3397 hotmail.co.uk 2531 verizon.net 2204 cox.net 2174 live.com 2113 yahoo.co.uk 2050 earthlink.net 1939 yahoo.co.in 1851 aim.com 1626 mail.ru 1619 bellsouth.net 1490 googlemail.com 1045 charter.net 995 optonline.net 990 yahoo.ca 892 me.com 888 rediffmail.com 806 att.net
Perhaps more interesting are some of the accounts that belong to government officials with domains ending in .gov. The following is some of the .gov accounts contained in the Gawker dump and the number of occurrences of each domain:
15 nasa.gov 9 va.gov 9 mail.house.gov 7 usps.gov 7 irs.gov 7 cdc.gov 6 ssa.gov 6 dhs.gov 5 michigan.gov 5 mail.nih.gov 4 usdoj.gov 4 panynj.gov 4 edd.ca.gov 4 boe.ca.gov 4 bls.gov 3 ky.gov 3 fnal.gov 3 ed.gov 3 dol.gov 3 dc.gov 3 cabq.gov 2 wisconsin.gov 2 whitehouse.gov 2 utah.gov 2 state.gov
We'll be continuing to update this post with more statistics and analysis as the results come in!
If you're an end user and think you may have registered an account with Gawker or one of its affiliated sites, be sure to change your passwords on any sites that may have the same or similar password as your Gawker account. In general, incidents like these are a good time to revisit your existing password schemes and ensure you are protecting your online accounts adequately.
If you're an administrator who runs a website or service where your users are logging in with only a password, now is the time to beef up your security with some strong two-factor authentication. If your users happen to be sharing a password contained in the Gawker dump, their accounts could be at risk. Feel free to drop us a line at Duo to learn how easy it is to integrate two-factor authentication into your website, server, or remote access VPN!