The 2007 Finnish password leak revisited

[Image: Excerpt from a leaked password file with a message from hackers in Finnish, rendered to resemble an early IBM PC terminal display.]

In 2007, Swedish hackers ZeroPoint and the Magical Pink Bear a Finnish skript kiddie released 78,000 hashed Finnish forum passwords. Now that some time has safely passed, let's try and see how many of them can be easily reversed into cleartext passwords.


The MD5 section of the document contains 25,824 hashes, most of them unsalted (except for 3,000 in the middle) and with usernames and email addresses included. Because they're salt-free, we can directly attack the list with a ridiculously large precomputed hash dictionary containing multiple languages, password lists recovered by other groups, and generated concatenations of words and numbers.

Using Stephen C. Losen's sgrep utility, it took my 800 MHz ThinkPad and Perl just a few minutes to compare every single hash to three gigabytes of dictionaries, stored on old-skool spinning disk media. More than 50 % of the passwords were found in the dictionary.

Next, I examined some of the remaining hashes using a (relatively small) MD5 rainbow table covering all possible 1..8-character combinations of lowercase ASCII letters and digits (of which there are roughly 368 ≈ 2.8×1012 in total). This method is much slower than a dictionary attack, so I only took the first 32 hashes for demonstration. 23 cleartext passwords were recovered, that is 72 %, in the 20 minutes it took me to get an energy drink from the 24/7 corner store. (Enough numbers yet?)

[Image: An SD card labeled with rainbow colors, held between fingers with pink nail polish. On the background, a computer screen with terminal text, showing e.g. the password 'Z10N0101' and the IP address ''.]

The two most common individual passwords in the MD5 set were, unsurprisingly, "salasana" (Finnish for "password") and "123456". Together they accounted for about 0.6 % of all hashes.


The SHA1 section contains both unsalted and salted hashes. Out of the 409 unsalted ones, a dictionary search reversed 239 (58 %) in a couple of seconds. "Salasana" was a favorite again. The rest are salted with a lowercase version of the username; even though we know the salt, there's no way around brute-forcing through dictionaries, which is painfully slow.

But in case the password is in a dictionary, even a salted hash can be reversed in minutes.

About dictionaries

Note that the dictionaries used by password crackers are not plain language dictionaries in the common sense. They contain millions of words, some of which are real words yet others seemingly random strings. As soon as your password is leaked in cleartext through any site, it becomes a dictionary word, no matter how weak or strong it was.

If you've used the same password on many sites for some years, chances are it has found its way into dictionaries and is now equivalent to using "swordfish" as a password.

All right, time to change my passwords now.


  1. "In 2007, Swedish hackers ZeroPoint and the Magical Pink Bear released"
    Actually they didn't, it was some lone skiddie who decided to blame them.


The comments section is pre-moderated; it will take some time for the comment to show up.

You might want to check out the FAQ first.