Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Gawker hack analysis reveals weak passwords

Gregg Keizer | Dec. 14, 2010
Brute-force work by Michigan firm decrypts 200,000 Gawker account passwords in under an hour

Duo's analysis mirrored one done nearly two years ago by Imperva on a cache of 32 million unencrypted passwords disclosed after a hack of RockYou, a Facebook application developer.

Imperva noted that "123456" was the most common password in the collection posted on the Web by hackers, followed by "12345," "123456789," "password" and "iloveyou" (download PDF).

The ease with which Duo was able to decrypt hundreds of thousands of the leaked passwords lends credence to expectations that cybercriminals will do the same, then use the e-mail accounts, usernames and passwords to try to hack other accounts owned by the affected individuals.

On Monday, Andrew Storms, director of security operations at nCircle Security, said it was a sure bet that hackers would utilize the Gawker information, because many people reuse the same password for most of their e-mail and online accounts.

Storms was commenting on the news that some e-mail addresses revealed in the Gawker hack belonged to employees of federal, state and local governments, and that hackers would use the information in targeted attacks to gain access to agency networks.

Duo provided a clearer idea of the scope of the threat to governments, pointing out that 15 of the accounts for which it had cracked password encryption belonged to people working at NASA, nine were assigned to users employed by Congress, and six belonged to employees of the Department of Homeland Security.

Both Gawker and a host of security experts, including Moore, Storms and those at Duo, urged users whose Gawker accounts had been exposed to change their passwords for other sites or services if those passwords were the same or similar to the one associated with Gawker.

Moore provided Computerworld with steps users can take to determine whether their e-mail addresses were among those accessed in the Gawker hack. Since then, Duo Security has created a Web-based tool that users can run to see if they have been "Gawkered."


Previous Page  1  2 

Sign up for Computerworld eNewsletters.