username: username, password: username.
The Gawker user database got hacked and stolen sometime last week. Those responsible cracked a bunch of passwords and released the list over torrents. I grabbed a hold of that list to see if me or any of my friends got caught in that. After making sure no major damage was done, my thoughts turned to doing some statistical analysis on the list. Others were doing it too, and WSJ in fact has a pretty good run down of the most popular passwords here.
A very neat graph, but there’s something missing: The number of users using their user names as passwords.
# of people using the single most often used password (“123456″): 3057
# of people who used their exact user names as their password: 3092
More people used their user name as a password than people who use “123456″, but not by much.
If we ignore the case and compare user names and passwords, we get: 3470.
In short, about 378 people tried “Zaphod” instead of “zaphod”, but that didn’t save them.
Oh, and this is before we adjust for the fact that all the cracked passwords are maximum 8 characters long. Here’s why:
The encryption scheme used by Gawker – DES – hashes only the first 8 characters of the password and stores it. If you have a password longer than 8 characters, the rest of the characters are ignored.
What this means is that, even if your password was “lifehacker”, as far as the system was concerned your password was “lifehack”. This is why you see entries for “lifehack” and consumer” in the WSJ graph, the first 8 characters of Lifehacker and Consumerist. In a nutshell: “lifehacker”, “lifehack3r”, “lifehackEr”, and “lifehacker255″ are all the same. You could enter “lifehack” for any of those and it would let you in.
This brings us to the next part:
# of users whose password exactly match the first 8 characters of their username: 5215 users.
Whoops, big jump.
Ignoring the case and comparing the first 8 characters again: 5931 users.
A jump of about 700 users. Which is proportional to the jump we saw in the earlier case. It should be noted that it is difficult to put this number in context without knowing how many people changed the cases on their passwords and how many of them got cracked.
How about people who tried to prefix or suffix their user names with fillers?
# of users where the username “matches” the password (case sensitive): 4141
# of users where the username (first 8 or less characters) “matches” the password (case sensitive): 6271
# of users where the username (first 8 or less characters) “matches” the password (not case sensitive): 7262
What we can take from here is that:
1. An awful lot of people use their usernames as their passwords.
2. Even a long and seemingly complicated password can be rendered weak because of the encryption scheme.
“lifehack34!42DE$” might seem like a good enough password, but under DES, it is only as good as “lifehack”; which when your attacker knows what he is looking for, is not much.
In the case of the Gawker hack, there were 7262 – 3092 = 4170 users who thought they were being smart by changing things around, but it was either inadequate to begin with, or in some cases (and more importantly) they were blindsided by the dated encryption used.
Moral of the story:
Do not rely on a website to keep your information safe, and
Use a password that:
- Is not your user name, or the name of the website,
- Is not any word found in any dictionary, Klingon or otherwise,
- Includes more than one of both cases, symbols, and numbers
- Within the first 8 digits.
Oh and for your own sake, do not use the same password for something important.