Print 59 comment(s) - last by Smilin.. on Jun 21 at 11:30 AM

  (Source: icanhascheezburger)
Facebook, Gmail, and Twitter pages defaced as mob mentality rules

Today everyone's favorite (or least favorite, perhaps) cyberbanditsLulzSec, leaked 62,000 peoples' email addresses and passwords.

The listing, which can be found here in text file form, has lots of different users and passwords.  A few notes -- the passwords appear to be all 15 or less characters and don't include capital letters (the last entry seems a fluke).  

This could simply be a coincidence that speaks to peoples' password tendencies these days, or it could be a sign that LulzSec used brute force attacks to crack these passwords.  

Using an SSD-driven rainbow tables approach, a 14-character hashed password can be cracked in about 5 seconds; cracking 62,000 passwords would take approximately three and a half days, at most (probably less if you exclude capitals).  Of course that's for Windows passwords, which use MD4 hashing.  More secure sites likely use MD5 and SHA1, in addition to salting, and a high iteration account -- of course there's plenty of sites that are probably using MD4 with no salting or -- as the Sony hacks showed -- storing passwords as cleartext in web accessible databases.

Many users whose email addresses were hacked subsequently had their Twitter or Facebook accounts illegitimately accessed and defaced [source].  It appears that the internet equivalent of a mob is behind these attacks -- thousands of individuals have downloaded the file containing the passwords and begun to try to access peoples' accounts.

The Next Web has been promoting a tool to find if you've been hacked, stating, "We've promised we won't say who built it, but can absolutely 100% assure it wasn't LulzSec and there's no email harvesting going on."

That said, the widget -- originally hosted here -- is the work of an unknown developer, so entrusting it with your emails might not be wise.

As always you can maintain safety online by:

  1. Using one-time use accounts for your various online registrations (to avoid one account being compromised allowing others to be compromised).
  2. Use passphrases with numbers, capital letters, and preferably ASCII symbols.
  3. Make sure your passwords are over 20 characters long.
  4. Don't reuse passwords.
  5. Don't share passwords with anyone.
While the above may seem difficult, it will allow you to remain safe from cybercrime online, for the most part.


Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Password recommendations
By ultimatebob on 6/16/2011 9:11:24 PM , Rating: 5
Not to mention that even the best password is worthless if the boneheaded site operator is storing them in cleartext like Sony was.

RE: Password recommendations
By idiot77 on 6/16/2011 10:24:47 PM , Rating: 4
My favorite is VerizonWireless that changes my capitals to lower case, even though it verified it was upper when I put it in and matched. Some genius programming there.

RE: Password recommendations
By someguy123 on 6/16/2011 11:14:27 PM , Rating: 1
Seriously. Having this massive passwords will do nothing but make your logins a bit more annoying.

It takes an unbelievable amount of time to merely brute force passwords. These people aren't going around bruteforcing every website; they're finding exploits.

RE: Password recommendations
By SunTzu on 6/17/2011 6:03:52 AM , Rating: 2
No, it doesnt. They use rainbow tables to crack the encryption, they dont try to brute force the logins.

RE: Password recommendations
By Gamingphreek on 6/17/2011 7:41:31 AM , Rating: 3
Rainbow Tables are brute force. Instead of trying passwords and computing the hash, rainbow tables are a series of hashes. It eliminates turning Clear Text into Cypher Text for a speed up.

RE: Password recommendations
By nafhan on 6/17/2011 9:54:22 AM , Rating: 3
Brute force means they try every possible password (or a subset thereof). Rainbow tables are just a method of speeding up brute force attacks by pre-computing passwords and placing them in storage (i.e. trading CPU time for storage space).

RE: Password recommendations
By JasonMick on 6/17/2011 10:48:38 AM , Rating: 2
Brute force means they try every possible password (or a subset thereof). Rainbow tables are just a method of speeding up brute force attacks by pre-computing passwords and placing them in storage (i.e. trading CPU time for storage space).

True... I think the commenter was referring to the fact that hackers try to dump databases of usernames/passwords and then use brute force to reverse the encryption on the DUMPED contents, rather than to try to brute force (unencrypted) passwords via login attempts to an online interface (which would be ridiculously bandwidth limited)...

Technically their statement is correct, though the word was a bit confusing.

RE: Password recommendations
By SunTzu on 6/17/2011 4:32:18 PM , Rating: 2
That was precisely my point. The biggest problem isnt usually bandwidth, its that any system designed by someone who's not a 5 year old will limit the number of attempts over x time, which makes it unfeasible.

RE: Password recommendations
By SandmanWN on 6/17/2011 11:39:21 PM , Rating: 2
on the flipside, now they don't even have to try to break your account. a few bad entries and the bank system will suspend your account. one tiny script and the next day you and 10,000 of your fellow bankers will shut the bank down for them as you call-in an drop by en mass to figure out what why your account isn't working.

RE: Password recommendations
By The0ne on 6/17/2011 3:25:52 PM , Rating: 2
Pretty much, that's why key logger programs are so useful/dangerous. It doesn't take much to land a key logger into someone's computer.

RE: Password recommendations
By Depolarized on 6/20/2011 10:27:24 AM , Rating: 2
Regarding keyloggers, I'm scared enough of this I've started using an on-screen keyboard to enter crucial usernames & passwords (when I can remember).

I think my antivirus checks for keyloggers, but I don't trust it.

"We don't know how to make a $500 computer that's not a piece of junk." -- Apple CEO Steve Jobs

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki