Jun 15, 2013

The 2007 Finnish password leak revisited

In 2007, Swedish hackers ZeroPoint and the Magical Pink Bear a Finnish skript kiddie released 78,000 hashed Finnish forum passwords. Now that some time has safely passed, let's try and see how many of them can be easily reversed into cleartext passwords.

MD5

The MD5 section of the document contains 25,824 hashes, most of them unsalted (except for 3,000 in the middle) and with usernames and email addresses included. Because they're salt-free, we can directly attack the list with a ridiculously large precomputed hash dictionary containing multiple languages, password lists recovered by other groups, and generated concatenations of words and numbers.

Using Stephen C. Losen's sgrep utility, it took my 800 MHz ThinkPad and Perl just a few minutes to compare every single hash to three gigabytes of dictionaries, stored on old-skool spinning disk media. More than 50 % of the passwords were found in the dictionary.

Next, I examined some of the remaining hashes using a (relatively small) MD5 rainbow table covering all possible 1..8-character combinations of lowercase ASCII letters and digits (of which there are roughly 368 ≈ 2.8×1012 in total). This method is much slower than a dictionary attack, so I only took the first 32 hashes for demonstration. 23 cleartext passwords were recovered, that is 72 %, in the 20 minutes it took me to get an energy drink from the 24/7 corner store. (Enough numbers yet?)

The two most common individual passwords in the MD5 set were, unsurprisingly, "salasana" (Finnish for "password") and "123456". Together they accounted for about 0.6 % of all hashes.

SHA1

The SHA1 section contains both unsalted and salted hashes. Out of the 409 unsalted ones, a dictionary search reversed 239 (58 %) in a couple of seconds. "Salasana" was a favorite again. The rest are salted with a lowercase version of the username; even though we know the salt, there's no way around brute-forcing through dictionaries, which is painfully slow.

But in case the password is in a dictionary, even a salted hash can be reversed in minutes.

About dictionaries

Note that the dictionaries used by password crackers are not plain language dictionaries in the common sense. They contain millions of words, some of which are real words yet others seemingly random strings. As soon as your password is leaked in cleartext through any site, it becomes a dictionary word, no matter how weak or strong it was.

If you've used the same password on many sites for some years, chances are it has found its way into dictionaries and is now equivalent to using "swordfish" as a password.

All right, time to change my passwords now.

3 comments:

  1. Women use "password" and men use "123456".

    ReplyDelete
  2. "In 2007, Swedish hackers ZeroPoint and the Magical Pink Bear released"
    Actually they didn't, it was some lone skiddie who decided to blame them.
    http://www.digitoday.fi/tietoturva/2007/10/18/poliisi-tavoitti-80-000-salasanan-levityksesta-epaillyn/200725989/66

    ReplyDelete

To prevent spam, comments will only appear after moderation.