Gawker hacked: Another trove of password data

[Fyodor <fyodor () insecure org>]

It looks like Gawker (mostly a network of gossip sites) has been
compromised.  The attackers posted more than a million usernames,
email addresses, and password hashes:

http://yro.slashdot.org/story/10/12/12/2234252/Gawker-Source-Code-and-Databases-Compromised

That is obviously unfortunate for Gawker and their users, but it does
give us more real-life password frequency data to use for improving
Nmap.  It looks like the torrent file contains 1.2 million records,
most of which include password hashes (some small percentage just say
"NULL").  It looks like they are probably using crypt(), but I'm not
certain.  The readme.txt says it is DES based and only allows up to 8
characters, and the hashes are 13 chars long, so it seems like
crypt().

The torrent also includes cracked passwords for a subset of those DB
records (188,281 accounts).

I can easily add the 188,000 already-cracked accounts to the Nmap
password frequency files, but does anyone have time and computing
resources to start on cracking the rest?  I recall that Brandon was
able to crack a very large percentage of the PHPBB password hashes we
found before.  And I recall that members of this list scored very well
in the Defcon password cracking contest this year :).

Cheers,
Fyodor

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/