One of the big news stories last week was the hacking of Gawker Media’s servers. As part of the attack, user accounts were compromised on Gawker sites, including Lifehacker and Gizmodo. More than 500,000 user emails and 185,000 decrypted passwords were posted online. If you’re not sure which account you used on a Gawker site, and want to determine if your account might have been compromised, there’s a tool for that.
Slate has created a widget that lets you input your username or email address to see if your account was hacked. All that you need to do is input your username or email address that you used on a Gawker site, and hit the “Check” button. You’ll get one of two messages back:
1. “Your account data has been released. If your account had a password, it has also been released in an encrypted form. Change it.”
2. “The e-mail account or user name does not appear to be in the released database.”
If you get the first message, you should not only change your Gawker password, but if you used that email/password combination on any other sites, you should change your password on those sites, too.
To avoid a problem like this in the future, make sure that you use unique passwords on all sites. Check out one of our favorite tools, LastPass, for an easy way to generate and remember all of those passwords.
Does a hack like this make you trust Gawker sites less? Or trust the Internet less? Our take: this could happen to any site out there. Protect yourself by using unique passwords on all sites.
Kosmo @ The Soap Boxers says:
My web hosting provider (Dreamhost) actually notified me that the account I use to log in to Dreamhost was among those compromised at Gawker. I guess they took all of the account usernames and did a comparison to the hacked data. Nice customer service – they did absolutely nothing wrong but wanted to point out the danger if people happened to use the same ID and password with Gawker and with other sites.
Btw, in case some people aren’t connecting the dots on why having an encrypted version of the password released is a problem … it’s because the hackers could look up the encrypted password of known accounts (their own accounts) and use this to reverse engineer the encryption algorithm. Once they have the algorithm, they could then easily decrypt other passwords.
December 19, 2010 — 9:39 pm
Evan Kline says:
Thanks for the explanation, Kosmo. I wasn’t aware that was how encryption worked.
December 19, 2010 — 11:49 pm
Kosmo @ The Soap Boxers says:
Let me preface this by saying that I don’t work in the field of encryption (but I do read a lot of Dan Brown novels, which is surely the equivalent of 20 years of expereience – lol),
Let’s look at the easiest example. Your password is Evan and Bobby’s is Bobby (yeah, you really need better passwords).
You see that the encrypted passwords are:
Evan – fWBO
Bobby – cPCCZ
As you can see, you just go one spot deeper in the alphabet and toggle the capitalization.
So if you encounter the encrypted password
lPTNP
you can decrypt this to
Kosmo
Real encryption is much more complex, of course. But if you have enough unencrypted/encrypted pairs to work with, you can get a lot of hints. Let’s say that you have 1000 pairs, and that the letter e appears 413 times in the 1000 unencrypted passwords. Interestingly, the character % appears 413 times in the 1000 encrypted passwords. Perhaps e = %?
December 20, 2010 — 9:00 am
Evan Kline says:
I don’t know enough to know one way or the other how hard it would be. I know that most encryption will “salt” the encrypted data with something unique to each encrypted piece of data (like your password) to make it more than just seeing what matches up, but I’m sure that having a stable of cracked accounts has to help a hacker figure out the other ones. I had heard that they were decrypting accounts with brute force attacks. Given that many encryption programs, like TrueCrypt use open encryption algorithms, I’m sure it would be pretty tough to do.
December 20, 2010 — 1:11 pm
Fredrik says:
All sane web sites use digest algorithms like MD5 or SHA1 to store passwords. That means they store a checksum of sorts. You can think of it as adding up the character values of all characters in the password and just storing that sum. Of course the actual algorithms used are a lot more complex, to make it extremely expensive (computationally) to come up with a password that generates a certain known checksum. Whenever you type your password, the site calculates the checksum for the password you typed, and compares the calculated checksum to the one stored in the user database. If they match, they let you in. You could get away with typing a different password which happens to generate the same checksum as your actual password, but the chance of that happening is typically less than 1 in 10^36.
The most effective way to attack this kind of database, is to write a program which makes educated guesses for passwords, like trying all words in a dictionary, possibly adding a 1-3 digit number at the end. For reasonably short passwords, you could also try a brute-force attack, which means you try all possible combinations of the characters people are likely to use in a password (or all possible characters, but that takes a lot more time).
To create a good password, you need to make sure it’s not in any dictionary that anyone has access to, not even a hacker slang word list. Some of the characters also need to be capital, and not just the first one. You should add digits and special characters, and not just at the end. And it mustn’t be too short (At least 8 characters is recommended). Also, don’t use the same password for different sites. Some of the sites you visit WILL get hacked, and if they manage to crack your password at one site, and have your email address, they could soon be logging into your accounts at a lot of other sites too.
To keep track of all your different account names and passwords (and to remember which accounts you have opened!), you probably need a software to store all this information in an encrypted form. You then use a really good password to protect it. That personal account/password database probably should be kept offline, in your phone perhaps.
January 19, 2011 — 2:32 am
Evan Kline says:
Thanks for the explanation, Fredrik. We’ve written about LastPass before, which seems to fit what you’re saying in the last paragraph, except for the offline part (although it is encrypted locally, and only the encrypted file is online).
January 19, 2011 — 5:16 pm