Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Password cracking
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Incidents== On July 16, 1998, [[CERT Coordination Center|CERT]] reported an incident where an attacker had found 186,126 encrypted passwords. By the time the breach was discovered, 47,642 passwords had already been cracked.<ref name="CERT IN-98.03">{{cite web |title=CERT IN-98.03 |url=http://www.cert.org/incident_notes/IN-98.03.html |access-date=September 9, 2009 |url-status=dead |archive-url=https://web.archive.org/web/20100709212628/http://www.cert.org/incident_notes/IN-98.03.html |archive-date=2010-07-09}}</ref> In December 2009, a major password breach of [[RockYou|Rockyou.com]] occurred that led to the release of 32 million passwords. The attacker then leaked the full list of the 32 million passwords (with no other identifiable information) to the internet. Passwords were stored in [[Plaintext|cleartext]] in the database and were extracted through an [[SQL injection]] vulnerability. The [[Imperva]] Application Defense Center (ADC) did an analysis on the strength of the passwords.<ref name=":1">{{cite web |title=Consumer Password Worst Practices |website=Imperva.com |url=https://www.imperva.com/docs/gated/WP_Consumer_Password_Worst_Practices.pdf}}</ref> Some of the key findings were: *about 30% of users chose passwords whose length was below seven characters, *almost 60% of users chose their passwords from a limited set of alpha-numeric characters, and *nearly 50% of users used names, slang words, dictionary words, or trivial passwords that employed weak constructs such as consecutive digits and/or adjacent keyboard {{nowrap|keys{{hsp}}{{mdash}}}}{{hsp}}case in point, the most common password among RockYou account owners was simply “123456”.<ref name=":1" /> In June 2011, [[NATO]] (North Atlantic Treaty Organization) suffered a security breach that led to the public release of first and last names, usernames, and passwords of more than 11,000 registered users of their e-bookshop. The data were leaked as part of [[Operation AntiSec]], a movement that includes [[Anonymous (group)|Anonymous]], [[LulzSec]], and other hacking groups and individuals.<ref>{{cite web |title=NATO Hack Attack |website=[[The Register]] |url=https://www.theregister.com/2011/06/24/nato_hack_attack/ |access-date=July 24, 2011}}</ref> On July 11, 2011, [[Booz Allen Hamilton]], a large American consulting firm that does a substantial amount of work for [[the Pentagon]], had its servers hacked by [[Anonymous (group)|Anonymous]] and leaked the same day. "The leak, dubbed 'Military Meltdown Monday', includes 90,000 logins of military personnel—including personnel from [[United States Central Command|USCENTCOM]], [[United States Special Operations Command|SOCOM]], the [[United States Marine Corps|Marine Corps]], various [[United States Air Force|Air Force]] facilities, [[Homeland Security]], [[United States State Department|State Department]] staff, and what looks like private-sector contractors."<ref>{{cite web |url=https://gizmodo.com/anonymous-leaks-90-000-military-email-accounts-in-lates-5820049 |title=Anonymous Leaks 90,000 Military Email Accounts in Latest Antisec Attack |date=July 11, 2011}}</ref> These leaked passwords were found to be hashed with [[salt (cryptography)|unsalted]] [[SHA-1]], and were later analyzed by the ADC team at [[Imperva]], revealing that even some military personnel used passwords as weak as "1234".<ref>{{cite web |title=Military Password Analysis |date=July 12, 2011 |website=Imperva.com |url=https://www.imperva.com/blog/military-password-analysis/}}</ref> On July 18, 2011, Microsoft Hotmail banned the password: "123456".<ref>{{cite web |title=Microsoft's Hotmail Bans 123456 |website=Imperva.com |date=July 18, 2011 |url=http://blog.imperva.com/2011/07/microsofts-hotmail-bans-123456.html |url-status=dead |archive-url=https://web.archive.org/web/20120327010416/http://blog.imperva.com/2011/07/microsofts-hotmail-bans-123456.html |archive-date=March 27, 2012}}</ref> In July 2015, a group calling itself "The Impact Team" [[Ashley Madison data breach|stole the user data of Ashley Madison]].<ref>{{cite web |title=Ashley Madison: Hackers Dump Stolen Dating Site Data |url=https://www.bankinfosecurity.com/ashley-madison-hackers-dump-stolen-dating-site-data-a-8484 |access-date=April 11, 2021 |website=bankinfosecurity.com |language=en}}</ref> Many passwords were hashed using both the relatively strong [[bcrypt]] algorithm and the weaker [[MD5]] hash. Attacking the latter algorithm allowed some 11 million plaintext passwords to be recovered by password cracking group CynoSure Prime.<ref>{{cite web |title=Researchers Crack 11 Million Ashley Madison Passwords |url=https://www.bankinfosecurity.com/researchers-crack-11-million-ashley-madison-passwords-a-8528 |access-date=April 11, 2021 |website=bankinfosecurity.com |language=en}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)