Tuesday, December 29, 2009

The RockYou 32 Million Password List Top 100

But first, a quick responses to one of the previous comments, (since it really did merit a front-page post).

Tfcx posted:
The initial vulnerability was posted 29th November on a hacking forum called darkc0de here: http://forum.darkc0de.com/index.php?action=vthread&forum=11&topic=13082
Thanks, as that really helps narrow down the timeframe, (and reading that post and related posts was interesting if a bit depressing). The hack itself appears pretty straightforward once you see it, (like most things once the solution is presented to you it's easy, but finding it in the first place is hard). I'm still interested in the hacker Igigi, and have been tossing about all sorts of theories; but I'll refrain from posting them here since they are all pure WAGs right now.

Now on to the main topic: Per Thorsheim wrote:
I would like to see a comparison of Twitters 370 banned passwords against the top 370 or so passwords stolen from rockyou (http://www.techcrunch.com/2009/12/27/twitter-banned-passwords/)
Happy to oblige! To start things off, here are the top 100 most frequently used passwords from the RockYou list. I then bolded any of the passwords that did not appear in Twitter's blacklist. As a side note: Yes I do realize I need to modify my website code to allow support for expandable post summaries. Wow do I ever miss Livejournal...

Rank | Num of Occurrences | Password
--------------------------------------------------------------
1 290729 123456
2 79076 12345
3 76789 123456789
4 59462 password
5 49952 iloveyou
6 33291 princess
7 21725 1234567
8 20901 rockyou
9 20553 12345678
10 16648 abc123
11 16227 nicole
12 15308 daniel
13 15163 babygirl
14 14726 monkey
15 14331 lovely
16 14103 jessica
17 13984 654321
18 13981 michael
19 13488 ashley
20 13456 qwerty
21 13272 111111
22 13134 iloveu
23 13028 000000
24 12714 michelle
25 11761 tigger
26 11489 sunshine
27 11289 chocolate
28 11112 password1
29 10836 soccer
30 10755 anthony
31 10731 friends
32 10560 butterfly
33 10547 purple
34 10508 angel
35 10167 jordan
36 9764 liverpool
37 9708 justin
38 9704 loveme
39 9610 fuckyou
40 9516 123123
41 9462 football
42 9310 secret
43 9153 andrea
44 9053 carlos
45 8976 jennifer
46 8960 joshua
47 8756 bubbles
48 8676 1234567890
49 8667 superman
50 8631 hannah
51 8537 amanda
52 8499 loveyou
53 8462 pretty
54 8404 basketball
55 8360 andrew
56 8310 angels
57 8285 tweety
58 8269 flower
59 8025 playboy
60 7901 hello
61 7866 elizabeth
62 7792 hottie
63 7766 tinkerbell
64 7735 charlie
65 7717 samantha
66 7654 barbie
67 7645 chelsea
68 7564 lovers
69 7536 teamo
70 7518 jasmine
71 7500 brandon
72 7419 666666
73 7333 shadow
74 7301 melissa
75 7241 eminem
76 7222 matthew
77 7206 robert
78 7148 danielle
79 7116 forever
80 6979 family
81 6775 jonathan
82 6658 987654321
83 6653 computer
84 6647 whatever
85 6598 dragon
86 6570 vanessa
87 6554 cookie
88 6547 naruto
89 6501 summer
90 6420 sweety
91 6390 spongebob
92 6320 joseph
93 6272 junior
94 6215 softball
95 6131 taylor
96 6111 yellow
97 6080 daniela
98 6079 lauren
99 6068 mickey
100 6027 princesa


Analysis: I'm hesitant to post the top 370 passwords due to privacy concerns, (also 100 is such a nice round number), but I figure this should give a good overview of the coverage of the 370 passwords that are blacklisted by Twitter. A grand total of 38 of the top 100 passwords did not appear in the Twitter blacklist. That actually really surprised me, as I expected the Twitter blacklist to perform better. So I guess what I'm trying to say is good question ;)

Just to save everyone from the math, if an attacker tried the top 100 passwords as guesses, they would have been able to crack 1,483,668 passwords from the dataset, or 4.5% of the total passwords. If the Twitter blacklist had been in place, and the attacker still tried the same 100 guesses, they would have only cracked 475,046 passwords, or 1.4% of the total passwords. So a blacklisting approach certainly can help against online password attacks, (where the attacker is severally limited in the number of guesses they can make). That being said, the Twitter list probably shouldn't be considered the gold standard as there are a lot of improvements that can be made to it.

Well, that's one question down. Keep them coming!

Thursday, December 24, 2009

RockYou Hacked: 32 Million, (yes that's Million), Passwords Stolen

As the title implies, the popular Facebook and MySpace game/widget maker RockYou was hacked, with the hack becoming public last week Tuesday, December 15th. What's worse is that RockYou stored all of their passwords in the clear, (no hashing), so 32 million plaintext passwords were stolen. I've been doing some digging into this so I can add something to the conversation, but for a great general overview I highly recommend reading TechCrunch's writeup.

First of all, if you have ever used the following social networking applications, you probably should change your password ... like right now.
  • Slideshow
  • Uploadphoto
  • Photofx
  • Glittertext
  • Funnotes
  • Countdown
  • Superhug
  • Myspace layouts
  • Stickers
  • Superwall
  • Pieces of flair
  • Speedracing
  • Likeness
  • Hugme
  • Birthday cards
Yup, that's why we're talking about 32 million user accounts, (though in all fairness, many of those user accounts are almost certainly duplicates created by the same person).

One day after the attack became public, the hacker gave an interview over at readwriteweb talking about password security in general. He, (I'm going to assume he's a guy since the nickname he gave was Tom), basically said around 30% of all websites still store user credentials in plain text. He also said the most important thing users can do is choose different passwords for different sites since they can't rely on those sites to protect them.

I'll certainly agree with that. I'll also agree that Rockyou should be held responsible for A) Not storing passwords securely, and more importantly B) Trying to cover up the hack after the fact. When Rockyou tried to downplay the impact of the hack, (by claiming it only affected some of their older programs), it was really a sleezeball move. That being said, I can't condone the Hacker, (Tom), either, since his behavior is unacceptable. It's one thing to point out a vulnerability. It's another thing to exploit it.

Probably the most interesting part of the interview was that they referred to the hacker's blog. Apparently he also goes by the handle 'igigi'. I guess that sounds better than Tom ;) As far as I can tell, he choose igigi because that's what ancient Sumerians called angels. Either that or he's really into plus sized clothing. Now is it just me, or is it weird that someone actively hacking into websites is giving interviews and keeping a blog?

The thing is, igigi probably wasn't the first person to hack into RockYou. According to Imperva, an internet security company, they originally discovered the exploit being talked about on a hacking forum about a week earlier, and several of the webmail accounts associated with those logins have since been flagged as being hijacked by spammers. Looking at igigi's blog, his first entry was December 6th 2009. I guess what I'm trying to say is there's a definite possibility that he stumbled upon an exploit that someone else had posted and decided to cash in on some fame. Either that or he isn't as white/grey hat as he claims to be. RockYou is the only English site he's claimed to hack; All of the other sites have been Slovakian or Czechian which gives you an idea of where he's from, (and/or which forums he reads). I did some additional searches and I haven't been able to find any trace of igigi before December, though my ability to do research into the other sites he's hacked has been limited because Google's Czech to English translator leaves a lot to be desired.

All this is just a run-up to the news that on Monday igigi posted the entire password list, minus the usernames and e-mail addresses. The original rapidshare links no longer work, (or I wouldn't have posted a link to his blog), but the list certainly is still out there on the net if you know where to look. Just a warning though, there are also some copies of it that contain nothing but viruses and fail. Here's a hint, if the list claims to be a self-extracting executable, don't click on it...

Dealing with such a large list has had its own challenges, (though I certainly can't complain). Even opening it with vi takes about a minute, and for searches I've resorted to catting it into grep. I've also discovered that I probably should have used some more efficient algorithms in a couple of my analysis tools.

Here are some of the basic statistics:
  • Total Plaintext Values Parsed: 32,603,387
  • Average Password Length of Parsed Passwords: 7.88
  • Average Complexity Level of Parsed Passwords: 1.94
  • Percentage of Passwords that have an uppercase character: 05.94%
  • Percentage of Passwords that have a special character: 03.42%
  • Percentage of Passwords that have a digit: 54.02%
  • Percentage of Passwords that only have lower characters: 41.68%
Overall Letter Frequency Analysis:
ae1ionrls02tm3c98dy54hu6b7kgpjvfwzAxEIOLRNSTMqC.DBYH_!UPKGJ-* @VFWZ#/X$à,¸\&+=Q?)(';%"]Ã~:[^

First Letter Frequency Analysis:
sm1cba0pljdtrk2hgfniew39v45o8y76MzSBACJLquDPTxRKGHNFIEW*VOY#Z@!Q($.UXà-_<~[/+,;="`?&%Ã:^

Last Letter Frequency Analysis:
1ae326sn5794y08roltdihgmukzc!pxwbA.fEj*SNYOvRLqDT@IHM$?KG)U_-ZC+#PXB/,WJ]%;F'~=V`^\&Q"> (:

Quick Analysis:
The first thing that stands out is that many of the passwords don't meet RockYou's password policy. RockYou requires users to create a password between 5 and 15 characters, and passwords cannot contain special characters. With this dataset though, 78,404 passwords were less than five characters long, and 258,835 passwords were longer than fifteen characters long. As already mentioned, 3.42% of the passwords also contained a special character. This seems to imply that a lot of RockYou's applications use a different password creation policy. Since many of the widgets manage Facebook/MySpace info, it's a fair bet that they require the user to enter their Facebook/MySpace password which is what we're seeing in this dataset.

Well, it's Christmas Eve, so I'm going to leave further analysis till later. As a Christmas/Hanukah/Seasonal present I would really appreciate for you guys to let me know in the comments or via e-mail what you would be interested in finding out about this list. That way I can focus on what's useful to you vs. just posting random statistics like I did above ;)

Tuesday, December 1, 2009

Google Wave Invite

I've been playing around with Google Wave, and received a couple of extra invites to the free beta. If you are interested, let me know and I'll send one your way.

My short review: It looks like one of those tools where it takes a lot of work to gain any benefit from it. That being said, if you are collaborating with a lot of people on several different projects it has real potential.