This morning, while going through some very old emails that I had somehow overlooked (not good, I know), and found a notice of a breach, from a site I had used while taking a security course online. Of all the places I would not have guessed it would be, it was “Gravatar” when I had originally signed up with them years ago, before WordPress acquired it. While some of you may already be aware of this breach, I thought I would share it for those who are not. I hope some of this information, on how hackers get, and use your password helps you understand the importance of a strong password.
Apparently in October 2020, Gravatar suffered a data breach which exposed 113,990,759 accounts.
In October 2020, a security researcher published a technique for scraping large volumes of data from Gravatar, the service for providing globally unique avatars. 167 million names, usernames and MD5 hashes of email addresses used to reference users’ avatars were subsequently scraped and distributed within the hacking community. 114 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data.
If you’re ever curious
Way back then, when starting my Blog, I was rather dumb and had used a simple password. While this site, alerting me to the breach, doesn’t know your password, they just notify you when your email is involved with a breach. I learned how passwords are cracked while taking a cybersecurity class. The password I had chosen, back then, was a pretty weak one that would probably be found in a word-list used by most security auditors and hackers. I changed it this morning. If you’re ever curious if your information has been “possibly” compromised, you can visit the site, and test your password. Basically, when you test your password, it is compared to all the lists (word-lists that hackers use) and if found, it lets you know what breach it was found in, and the date, so you can go change that password to something stronger. The site is “Have I been Pawned”. Pawned being a slang word used by hackers to denote a compromise of something.
I have used this site for years, and the man running it is a well known security speaker.
Many users are unaware of how hackers work to get passwords. So here is a crash course, on what a word-list is, and how it can be used by nefarious persons.
Your password is known only to you, unless you share it. A password, you create for a site, is then “encrypted” as a “hash”. A hash is a result of the encryption and looks more like a string of numbers. For instance, if I were to use Superman as a password, and the site used MD5 hash encryption, it would now look like this 527d60cd4715db174ad56cda34ab2dce. No one would glean “Superman” from that.
One hash at the time.
However, when a data-breach occurs, The bad guys get the password hash. Sometimes they even get the username as well. While this in itself is unusable, because all they see is the “hash” for the password, they then utilize a program that is capable of taking huge lists of words, turning them into “hashes”, and then comparing each “word hash” to see if it matches your password hash, in this case “Superman”. One hash at the time. Now, this may sound time-consuming, but computers are fast. My computer, during the security course, processed 138,000+ hashes or “hash comparisons” per second. Or 102 hashes every millisecond. “Superman” can be found in standard word-lists in about milliseconds. Imagine what several computers linked together could do. This is why, choosing a good password is important. Never use a regular word, such as a name, object, or subject, in other languages, unless the words are strung together, such as our example here, Ihabcouch@2endtables
Where do these word-lists come from? Word-lists, are simply a file of words, one word per line. They are generated from Dictionaries, Bibles, Foreign languages, names, events, anything a person might use for a simple password. Added to the list are passwords that have been cracked and leaked online by hackers. Sometimes a website (even large ones) have been found to have forgotten to encrypt the passwords, and they were stored in the database in “plain text”. Those are found, leaked, and added to the circulating word-lists. So if your account was involved in a data-breach, and you used a simple password found in a list, then they now have your email maybe your username, and password. They go to your email account, plug in your password and wreak havoc using your account for spam.
How big are the lists? Amazingly small, and large. I’ve seen pretty effective lists of about 120 MB that contains around 10,937,952 words. Then you have lists that are 5+ GB and larger, so use your imagination of how many words and combinations of words would be in that list.
passwords like 12345678
Many times while working on someone’s machine, they had to provide the password for me, at which time I always counseled them to change it, when the work was done. No one, not even me, should have that password. It is yours and yours alone. I would find passwords like 12345678, password, iloveyou, ilovebob. Yes, these were actually seen by me. Or a person on a website about flowers using Rosebud, Camellia, etc. I worked on my brother-in-law’s computer once, and he had his first name, as his email password! Although it was long enough, it was simply a name in any list of people’s names.
I hope this helps understand why it is important to have a good password. Not just something simple for the sake of “senior moment” memories, of which I have. Michelle describes my attributes as, “The compassion of a rock at times, attention span of a gnat, and memory like a leaky bucket.”
Password Tip
I sometimes use my home and items to make up an easy, strong, memorable password. Like, I have a brown couch & 2 endtables
Ihabcouch&2endtables Comes out to 20 characters, upper and lower case, a symbol, and a number. Yet after using it several times, repeating it as I type, and remembering to use the & symbol for the “and”. Since it’s not in a word-list, a brute-force cracking would take 42 quintillion years.
If you have questions, please feel free to ask them in the comments.
Note: information contained herein, is for educational purposes only, to assist others in a more secure online experience.
Update: 12/06/21 8:46pm
The service, “Gravatar” has stated they don’t consider this a “breech” of user data.
Many Gravatar users were not satisfied with the service’s explanation that all of the information users entered was public, which disqualified the incident from being labeled a breach. In the same explanation, however, the service claims the API was abused, instead of admitting that it was vulnerable and could have been better protected.
Source
It would appear to me, that even though they claim, the information of users entered is public. Yet in the same breath state the service API was “abused” which means it was used for other than its intended function by someone without permission to do so. I call that a hack or breach, by any other name. You can follow the source link above, and make your own determination.
Thanks for the great tips, Ron. You don’t have a reblog button, so I am going to post a link to your post instead.
Best wishes, Pete.
Hello, Pete. No, being self-hosted they don’t give us a reblog button, might cramp their profits to share non-hosted blogs. I’m glad you enjoyed it. Thanks for sharing it.
Great info!
Thank you very much! Glad you enjoyed it.
Wow! I don’t use simple words but I have to review what I do use. I have to keep a list. I just can’t remember over a 100 passwords. Any tips on storing?
There are several good ones out there, according to reviews. I don’t use any myself. Preferring to memorize and store them in an encrypted file on my own system. I think the site that provides the service I mentioned recommends a good one.
I use about 5, strong, easy to memorize passwords that I rotate. They suggest that you don’t reuse passwords, but if you have really strong well-made ones, then they are just as good as the randomly generated ones, and easier to remember. Plus, you don’t have so many to keep up with. I can always look back at my list of sites that are encrypted that I always right down, to know which site uses that password. Easier to fix, if one is ever compromised, “Knock on wood”. 27 years so far.
I’ve used this method for the last 27 years, and the only two hacked accounts, were from my beginning years in computing. They used very simple words.
Much like Kate, I have a huge number of “password-necessary” places I go to. I tend to keep a hardcopy of them all, which is suitably disguised of course. There are a number of apps which store your Passwords and/or convert them as you use them so you don’t have to remember anything however …. what happens if the App company gets hacked? Rather like a “heads you win … tails I lose” scenario. Your thoughts?
Password holding sites can, and have been compromised, but if you use the randomly generated password they pick for you, or a very good one you made yourself, it is very safe, as they are strong and not found in the average list, which would require brute forcing, which is too time intensive for hackers to bother with, unless you have enough gold to fill Fort Knox. Haha.
great info! thanks!
You’re most welcome, lolaWi. Thanks for checking it out.
I’m registered with a site called Have I Been Pwned: is this the same one you mention in your post, Ron? I was notified of the Gravatar hack, and a couple of others previously. So far, the worst result has been a massive increase in spam to my personal account: annoying enough, but easy enough to trash immediately. Cheers, Jon.
Yes, Wilfred, that is the same site I have used since its inception.
Thanks Ron 😀 Wilfred Books is my company name: I’m Jon! Cheers.
Thank you, Ron this information is very useful…I have never used 123456 but some of my passwords are linked to my passions (cooking/environmental ) from reading your post a hacker might work those out…Thank you once again very helpful 🙂
I’m glad it was helpful. I like to drop tidbits of tech, from time to time. You never know when it might help someone to look for a solution.
Thanks so much, for your kind comment.
Thank you, Ron it was most helpful 🙂
Thanks Ron – this was interesting. It is amazing and downright scary just how quickly a password thief can access your information.
I hope it can help you, at some point, Linda. Thanks, for the comment.
Excellent post, Ron!! Better late than never, eh? I’m behind in my reading of posts – just as I’m behind in writing my own posts. Anyway, I’m going to definitely run my passwords on the site you mention. Thank you for all of this!!!
I’m way behind as well. I’ll get caught up though, before long.