The Syrian Electronic Army (SEA), the pro-Assad hacktivist group famous for its attacks on western media outlets, breached Forbes’s network last weekend, exposing more than one million usernames, email addresses and password hashes online.
It’s a little scary that the parade of data breaches makes many of us roll our eyes and sigh, “another day, another breach.” After all, 2013 was the worst year for data breaches yet, with more than 820 million records leaked. But if we step back for a moment and examine the Forbes.com breach, we can learn a lot about the sorry state of password security.
Paul Ducklin, senior security analyst at Sophos, examined the exposed password hashes and recovered the logins for thousands of Forbes.com users. In a post at Naked Security, Duck shows us how weak user passwords made it easy to crack thousands of them in less than an hour, despite Forbes’s use of hashes to protect them.
As Duck explains, password hashes are those scrambulated text strings that smarter websites store so that they can validate your password without actually having to store it in plain text. This makes life tougher for crooks who manage to steal the password database, because they can’t read off the passwords directly, but have to try a huge list of guesses, hoping to come up with the right hash.
Fortunately, in Forbes’s case, the hash scrambulation system was configured so that it was deliberately time consuming. So users who chose decent passwords ought to be safe against the crooks’ guesswork for long enough to log in and change their password to something new.
But those of us who use weak passwords can be hacked in almost no time.
Duck started with the 500 or so Forbes staffers who had logins on the company’s own site, and recovered about 25% of their passwords in under an hour. Not even the smart people working at Forbes are immune from bad passwords, as the most common password he recovered was forbes1.
When Duck looked for email addresses from Gmail, Yahoo, AOL and Hotmail, he decided to compare the users from the “big four” webmail services to see which group had the best, and worst, passwords.
Are Gmail users smarter and better informed about security than Yahoo, Hotmail and AOL users, for example? You might be surprised (hint: they are not).
There was some good news, however: it seems as though users who signed up to Forbes in 2013 and 2014 were much less likely to choose an easily-guessed password than those who joined in 2012 or earlier. That’s a positive sign!
Not everyone got it right, though, as Duck wryly observed in an email exchange with Sophos Blog: “If your password is ‘changeme,’ why didn’t you?”
Check out Duck’s article at Naked Security to learn more about his findings.
And if you’re worried about your own password security, here are some easy ways to create hard-to-crack passwords.