The highest form of ignorance is when you reject something you don't know anything about.

Wayne Dyer (b 1940)

Create a Real Password! You Dummy!

Here we go again... 

Some time ago, TJMAXX companies woke up with a hangover: 130 million Credit Card number stolen.  The Reason?   Obsolete security and pure greed. They used "WEP", WPA was "too expensive"
Then, The Hotmail hack and the Rockyou list: 32 million users passwords stolen

As it was not enough, some genius of CEO is using obsolete technology to protect your data.
Please Welcome Nick Denton, (Gawker media) in due course for the Dummy Award of the year.

At the light of the Gawker Hack, one could think that the CEO of an internet media company would be a bit more enlighten than my grandmother when it comes to passwords & internet security,  Huh?
Well, guess what?  nope!
So, dear Nick Denton, CEO of,  You are one of a hell of a dummy!

The Gawker Network was hacked, compromised, owned, and pawned! Releasing a database of 1,300,000 users, as well as their source code and another bunch of juicy stuff! On the top of that, most users names & emails were also published with the corresponding hash.  John The Ripper ripped through the hashes with amazing ease...

The Main Issue?
To probably save few bucks, Gawker never updated the level of security: They used DES to encrypt your data. DES is broken, obsolete and should not be used: After all, it's only 34 years old.

Using DES was only the tip of the iceberg: after few days of digging into the Gawker Hack, it appears that:
  • "They" were aware that something was wrong, but as it only concerned "peasants" it was not a top priority. The word "peasants" seems to be a code name for you, users of Gawker. 
  • They taunted and provoked few people on the 4chan board. As a tip, I would suggest Gawker not to taunt people that seems to know much more about computers than you do.
  • The hack or infiltration seems to have been on for at least 4 months before the panic mode was set "on"
  • Gawker was alerted when the front page of the site displayed some very weird stuff, including links to the full source code(!)

That didn't come as a surprise to HD Moore, chief security officer at Rapid7.
"The DES crypt hash can be broken with ridiculous ease," said Moore in an e-mail reply to questions late Monday about the strength of the encryption used by Gawker to safeguard its users' passwords. "John the Ripper, along with most other tools, are well-equipped to brute-force these."
Moore pointed out that the 56-bit DES (Data Encryption Standard) encryption used by Gawker had been broken more than a decade ago, when the Deep Crack machine built by the Electronic Frontier Foundation (EFF) won a 1998 contest sponsored by RSA after breaking a DES key in just 56 hours. Six months later, EFF and collaborated to lower that time to just over 22 hours.
"These days, [graphics processor unit]-based cracking makes this even easier," noted Moore. Dec 2010

So thank you Gawker for putting my security so low ...

From the Gawker Hack, by Gnosis.

"Let's start with our good friend Nick!
You would think someone like Nick Denton who likes to run his mouth and taunts such an unforgiving mass like Anonymous, would use a more secure password than "24862486".
The sad thing is he probably believes this password is "secure" because he likes to use it everywhere! " Gnosis Hack Group

Gnosis goes on and publish in clear multiple accounts of the above named dummy.

 Nick Denton and his crew taunted that group of hacker, and bragged a little bit too much.
You can brag Nick, but when you do so, you need to have ~at least~ some knowledge of what does what. assured their users, shortly after that the Hack was publicly available (mind you) that:

"We'll continue to look into this, but as I commented on your site earlier, we have no evidence that any of our readers' user accounts/passwords have been compromised. They are not stored in plain text and are on entirely different systems than the third-party hosted Campfire screenshots that appear in this article.
  There's no evidence to suggest any Gawker Network user accounts were compromised, and passwords are encrypted (not stored in plain text) anyway, so stealing passwords isn't even possible."

- Well done Scott!  
The 200,000 accounts cracked so far are probably just an illusion:

"After gaining access to gawkers MySQL database we stumble upon a huge
table containing ~1,500,000 users. After a few days of dumping we
decided that 1.3 million was enough.

Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard). Because DES has a maximum of 8chars using a password like "abcdefgh1234" only the first 8 characters "abcdefgh" are encrypted and stored in the database. If your
password is longer than 8 characters you only need to enter the first 8 characters
to log in! "

The main issue here is 1.3 million users login, emails and password in the wild. Not too bad for something that was "not even possible"

"Gawker uses DES to obfuscate your password, which is pretty much worthless. With an application of supercomputing power, the plaintext passwords could be revealed very quickly for all 1.3 million usernames." Jed Smith, Dec 2010

The second main issue is that most of those people are using the same password for a lot of things. I hope that Gawker users are using different email accounts:
Gnosis was taunted by Nick Denton, making them prove their point (And they did so deep that Nick must have a headache that originated from his rectum. No lube used.)
But at least, Gnosis are not that bad, gray-hish hackers: They published the all shebang, including source code, database, etc but they did not used it to hack people.
It would have been a massacre if they had phished the entire db without publishing it first.
That list was subsequently hacked and some of the Twitter Accounts linked started to see spam appear.

On the top of showing their absolute ignorance to the world, and being pawned, owned, covered with shame  by a group of "script kids" had the great idea to advise their subscriber, after the hack, to use strong password. What an irony, specialy when we look at the great password of their CEO. with this fantastic article on how to create a great password.

Gina Trapany lately said something that I applause, in regards to the Gawker hack:

So, you read that! huh? , No readable words found in a dictionary !!!!

 Well... if you look at the database of cracked password, you'll note that almost all passwords cracked where composed of:
  • Only numbers  (Yes Nick Denton, slap yourself here)
  • Only letters    (Yes, Gina Trapani, your advice is bad)
  • Used the email as password (Great Job! about 27% of the list....)
  • Were short
  • And finally, almost none used a sign, confirmed by Duo Security:
"Duo Security uncovered other interesting tidbits during its analysis, including the fact that nearly all of the cracked passwords — 99.45% — were composed of alphanumeric characters only, and did not contain any special characters or symbols."

    Why? Ok, then I am going to repeat again....

    If you use numbers only, you have 10 possibilities per character: 0,1,...8,9
    When your password is 3 characters long, and made only of numbers.., that's 1,000 possibilities and roughly 0.001 sec "resistance time"
    The Great Nick Denton had a password able to resist a bruteforce attack for less than an hour.
     Now, if he had used a single sign, i.e "&" the possibilities would have jumped from 9^10 to 9^127 or 8,594,754,748,609,400,000 compared to a mere 1,000,000,000
    Adding a sign would have made it 8,594,754,749 times more difficult to crack (that's 8.5 billion)

    Password makes people use "words", and it implies that it is a "single" string. 
    Hence, when you ask people to generate a password, they do! they create one single word!

    Think passphrase instead!
    One of the good point of the article of  Gina Trapani is the mention of an simple way to generate multiple and easy to remember password.   Password   Dang! Passphrase 

    As for the rest, here are my 2 cents: 
    • If you can find it in a dictionary, it's not good! 
    • Minimum 10ch long. 15 is highly regarded
    • Have you considered a space? 
    • Use Lower cap and UPPER cap, along with Signs and Numbers
    • Did you know that you can use accented latin characters?  é å ü (e-option-e)
    • Can't remember a string of signs? Use numbers with the shift key: 1234 = !@#$
    Example:   Use the birth day of your mom, i.e 1960-09, and type it with the Shift Key "on"
    You'll get "!(^)_)(" 
    so, any type of password such as "1960 Mommé!(^)_)(" will keep any hacker occupied for a while. 
    Add a "dot"+website, and "1960 Mommé!(^)_)(.gmail" is becoming seriously stupid strong. 

    So, using a phrase, that include the above mentioned tips and a solely 10 ch long Passphrase will generate  1,091,533,853,073,390,000,000 possible combination.  
    That number simply means that if you were to give each person on planet earth a computer able to crack 1 Billion keys per second, you'll still need about 78 years to crack it. 
    Make it 11 Ch long and it goes to 9,000 years. 

    One key factor to understand, is the famous "Faster than the bear" logic. 

    Imagine an hungry grizzly running after a group of people: somebody is going to be eaten!

    Most people believe that to escape a Grizzly bear, you need to be faster than the bear. 
    Logic dictates that in order to NOT be eaten by the bear, you simply need to be faster than the slowest guy:  He'll be the one being eaten by the bear. 

    The same theory applies with your passwords: If a hacker tries to crack your password, and can not succeed in a timely manner, he will most likely attack the next weak one. 
    You just need to be faster than the slowest guy....  

    One Last Thing: 
    Gawker hack or not,  you should not use a "good" email account to post comments, play games, tweet or facebook: use disposable email or reserve some addresses for the "junk"

    If one is compromised, it will not compromise the good stuff: Keep ham and spam separated.  

    lil recap:

    Numbers only:                         10 per Ch.
    Letters, lower case                   26 per Ch.
    Letter, lower and upper case    52 per Ch
    Numbers + Letters                   62 per Ch
    Numbers + Letters + Shift       74 per Ch    !@#$%^&*()_+
    Printable Characters                127 per Ch!@#$%
    Full ASCII                               255 per Ch   (including "space")

    If you want to learn more, I highly suggest to read one of the following.
    I highly recommend "Hacking Wireless Exposed"

    No comments:

    Post a Comment