Nmap Development mailing list archives
Re: Gawker hacked: Another trove of password data
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Mon, 13 Dec 2010 05:26:11 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 12 Dec 2010 17:07:15 -0800 or thereabouts Fyodor <fyodor () insecure org> wrote:
It looks like Gawker (mostly a network of gossip sites) has been compromised. The attackers posted more than a million usernames, email addresses, and password hashes: http://yro.slashdot.org/story/10/12/12/2234252/Gawker-Source-Code-and-Databases-Compromised That is obviously unfortunate for Gawker and their users, but it does give us more real-life password frequency data to use for improving Nmap. It looks like the torrent file contains 1.2 million records, most of which include password hashes (some small percentage just say "NULL"). It looks like they are probably using crypt(), but I'm not certain. The readme.txt says it is DES based and only allows up to 8 characters, and the hashes are 13 chars long, so it seems like crypt(). The torrent also includes cracked passwords for a subset of those DB records (188,281 accounts). I can easily add the 188,000 already-cracked accounts to the Nmap password frequency files, but does anyone have time and computing resources to start on cracking the rest? I recall that Brandon was able to crack a very large percentage of the PHPBB password hashes we found before. And I recall that members of this list scored very well in the Defcon password cracking contest this year :). Cheers, Fyodor
Thanks for pointing this out, more passwords is always a good thing! I looked at this dump some earlier in the evening and I came to the same crypt() conclusion as you, although I didn't actually try cracking any of them that looked like crypt. The other hash being used is bcrypt() (the ones that start with "$2a$") which is an extremely well designed password hashing algorithm. Unfortunately for us, both of these hashes are salted and pretty slow. bcrypt() is so slow it makes cracking and exercise in futility. I don't think we will be able to crack a big enough percentage of them to use them as a source of statistics. Unless we get to say, 66% accounts cracked, I don't think we have good enough stats about the passwords to add them. If we can only crack the easy passwords, then adding them to our stats will bias our data towards only the very easily crackable passwords. This could harm our existing data. If I come across something interesting/useful I'll be sure to report it. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAk0FrnoACgkQqaGPzAsl94JbdQCgnMeh1tOtAgltCkV9aRpbGVCc tFUAn2b5W3t6zYsF/3Oe6HISnoHN0QmM =GHsR -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Gawker hacked: Another trove of password data Fyodor (Dec 12)
- Re: Gawker hacked: Another trove of password data Brandon Enright (Dec 12)
- Re: Gawker hacked: Another trove of password data Brandon Enright (Dec 13)
- Re: Gawker hacked: Another trove of password data Matthew Finkel (Dec 13)
- Re: Gawker hacked: Another trove of password data Henri Doreau (Dec 16)
- Re: Gawker hacked: Another trove of password data TeĆ³filo Couto (Dec 16)
- Re: Gawker hacked: Another trove of password data Brandon Enright (Dec 13)
- Re: Gawker hacked: Another trove of password data Brandon Enright (Dec 12)
- Re: Gawker hacked: Another trove of password data Brandon Enright (Dec 16)
- Re: Gawker hacked: Another trove of password data Florian Roth (Dec 17)
- Re: Gawker hacked: Another trove of password data Brandon Enright (Dec 17)