The disclosures on this website have been made available publicly so that users can find out if they were exposed as a result of the releases made by hackers. To find out if your account made it into the disclosure list, enter your email into the search box provided at the top right of the respective list. We have made considerable efforts to ensure the published emails do not get harvested by spammers. This includes, but not limited to, use of tools such as https://github.com/ayeowch/banshee. If your account is listed in the disclosure list, you are advised to change your password immediately if it is still in use elsewhere. Even if your accounts are not affected, we strongly urge you to practice the use of strong passwords if you haven't already. Tips on strong passwords by Google is a good place to start.
Passwords are the first line of defense against hackers. We all know how important it is to pick a strong password and as an administrator, there is no reason for us to not encrypt and store passwords safely in the database. However, as you may have already noticed from the disclosures published on this website, many of the leaked databases lack proper encryption for the passwords. Most of the passwords are either hashed without salt using MD5 or SHA1. To make matters worse, users generally choose passwords that are often easy to guess or weak and susceptible to dictionary attack. It is also not uncommon for users to reuse their passwords and keep them unchanged indefinitely.
In our disclosures, we use John the Ripper (JtR) to translate the hashed MD5 or SHA1 passwords to cleartext passwords. JtR is a free software under GPL2 license and it is available for download from http://www.openwall.com/john/. In most cases, we would first run JtR by feeding it with a password dictionary, e.g. john --format=raw-MD5 --wordlist=<PASSWORD_DICTIONARY> --rules <LIST_OF_HASHES_TO_CRACK>. This is also known as wordlist mode in JtR.
<LIST_OF_HASHES_TO_CRACK> is a list of <UID>:<HASH> separated by newlines extracted from the leaked database. The success rate of this approach relies on the quality of the <PASSWORD_DICTIONARY> that you use. The --rules is useful to instruct JtR to also mangle the passwords based on a set of rules defined in the default JtR configuration. By running JtR in wordlist mode using our publicly available password dictionary against 71,222 MD5 hashes from rootkit.com, we were able to translate 32,880 of the hashes (46%) to cleartext passwords.
Large Password List
In order to get better result with JtR wordlist mode, we have prepared a better password list called UNIQPASS exclusively for use with JtR. The list contains millions of unique and commonly used passwords collected from selected popular sources.
With UNIQPASS, we were able to translate 65,035 of the hashes (91%) from rootkit.com to cleartext passwords. For the remaining hashes, we resort to use JtR incremental mode. Incremental mode is able to translate hashes with higher yield but it will take much longer time to complete. The JtR default incremental mode is set to use the full printable US-ASCII character set (95 characters) and to try all possible password lengths from 0 to 8. Obviously, the default incremental mode will not be able to translate strong passwords or passwords with length greater than 8.
If you use site that requires your email/password combination, we cannot stress enough the importance of keeping that combination unique only for that site. There are many free and secure password manager applications that can help you keep track of your combinations. These applications can be used to generate strong passwords and many support synchronizing your passwords between your devices that you use to access your sites.
In order to demonstrate the danger of password reuse, we have created reusable.py (link removed), written in under 200 lines of Python code. The script checks if owner of each email/password combination uses it to login into Twitter in addition to the site where the combination was originally leaked from. For the complete list of accounts logged in successfully by reusable.py, see the list of Twitter followers for @reusable_py. This is the Twitter account that we have created for the purpose of this demonstration. This account also serves the purpose of alerting users that may have had their accounts compromised as a result of the published leaks. If you are already following @reusable_py without having explicitly following the account, be sure to update all your online accounts each with a strong and unique password.
We have described how trivial it is for anyone to get a copy of a leaked database and extract email/password pairs using freely available tool together with a good password dictionary. From here, hackers can easily take over the accounts of the victims with malicious intent. Fortunately, you can stay safe online and be somewhat confident that your passwords remain secure by practising the use of strong passwords and never reuse the same password on multiple websites.
Extra: Top 1000 Passwords
We generate this image, top1000_passwords.pdf, using top 1000 passwords found in the leaked databases simply to illustrate that most users still tend to use trivial passwords that should have been avoided in the first place. In order to get these top passwords, we extract all the plaintext passwords found in rootkit.com, Sony Pictures, LulzSec, LulzSec (final release), Booz Allen Hamilton, OhMedia, helistin.fi, napsu.fi, and clearusa.org. In total, there are 618,747 accounts with 407,498 unique passwords from these databases. We sort the unique passwords based on their respective frequency of use and pick the top 1000 to generate the image. The list is also available in a text file, top1000_passwords.txt, with frequency of use for each password.
Several disclosures published on this website have been previously mentioned in various news websites including but not limited to,
How to Cite Us
If you find our work useful for your publication, e.g. research paper, please mention it when citing sources of information. It may be cited as
"Dazzlepod. Disclosure Project. Available from: http://dazzlepod.com/disclosure/; Accessed: July 31, 2014."
Subscribe your email to receive notification whenever a new disclosure is published on this website. We will never use your email address for any other reason. You may unsubscribe from the alert at any time.