Gawker Passwords, etc. #

random($foo) is the personal site of Leonard Lin, where I collect shiny things and publish original writing and code. more »

I have work deadlines, so I haven’t been able to been able to write a well constructed post about this, however, a few things:

  • To check if you had a Gawker account (there are 1.25M of them, so you might have one even if you didn’t realize it) I recommend: http://gawkercheck.com/. Note: even if your password wasn’t unhashed, consider it compromised. These passwords are encrypted with DES crypt, which is not adequate to stop attackers. The keyspace is too small. For more info on DES (and probably the best post-mortem so far), see this Forbes blog post.
  • This is as good a time as any to manage your passwords properly. A lot of people (including me) are using 1Password. It’s currently available as part of the MacUpdate December 2010 Software Bundle. LastPass also looks like a good solution and is free ($12/yr for mobile support). PwdHash and KeePass are also options.
  • According to the FAQ, Gawker claims to be sending emails eventually (and some people are doing so as well now). What I did last night, and maybe a good thing to do for your friends if you are an uber-geek is to go through your friends list and grep through the torrent database and them personally know if their account has been compromised, especially if the password has been unhashed.
  • Oh, lastly, if you’re a geek w/ your hash and want to check on whether it’s a reused password or not, you can pretty easily fire up a python shell and see if it matches:
    password = 'your_password'
    hash = 'your_hash'
    salt = hash[0:2]
    import crypt
    crypt.crypt(password, salt)

    If you’re not sure though, audit your passwords anyway when you have a spare hour or two. You’ll feel better, trust me.

  • David

    What does it mean if the hash generated here does not equal the one in the file?

  • http://randomfoo.net/ lhl

    It means that the password is different. You can test to see if you're doing it right by comparing some decrypted passwords from parsed_db to the hash in full_db. If those don't match it means you've typed wrong or something.

  • bon

    from python example above, does it means salt is first two characters of crypted password from full_db?
    crypt.crypt(password, salt) == hash # -> means password variable contains password i used to create account

  • http://randomfoo.net/ lhl