Back in October, a hacker broke into a security-themed blog named Light Blue Touchpaper. The hacker then promoted himself to an administrator. I am not aware of any damage caused by the perpetrator since the blog owner rapidly discovered the break-in, disabled the account, and tightened up security. While doing so, he examined the database to see if he could learn more information about the hacker.

What he discovered was the MD5 hash of the password. At first he wrote a rudimentary brute-force cracking program to try to determine the password. Quickly giving up, he turned to Google, surprisingly finding the answer right away: “Anthony”

Naturally, I decided to do the same on a larger scale. The following list of common passwords and their “secure” MD5 hashes was found simply by Googling:

• 098f6bcd4621d373cade4e832627b4f6 (test)
• 0be5a6c82893ecaa8bb29bd36831e457 (personal)
• 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)
• 0f4137ed1502b5045d6083aa258b5c42 (windows)
• 1a1dc91c907325c69271ddf0c944bc72 (pass)
• 334c4a4c42fdb79d7ebc3e73b517e6f8 (none)
• 3c3662bcb661d6de679c636744c66b62 (sex)
• 51149f6fea1a3179b364f1994e06e4d4 (secretpw)
• 5d41402abc4b2a76b9719d911017c592 (hello)
• 5ebe2294ecd0e0f08eab7690d2a6ee69 (secret)
• 5f4dcc3b5aa765d61d8327deb882cf99 (password)
• 5f532a3fc4f1ea403f37070f59a7a53a (microsoft)
• 7c6a180b36896a0a8c02787eeafb0e4c (password1)
• 827ccb0eea8a706c4c34a16891f84e7b (12345)
• d8578edf8458ce06fbc5bb76a58c5ca4 (qwerty)
• e99a18c428cb38d5f260853678922e03 (abc123)
• eb0a191797624dd3a48fa681d3061212 (master)
• f561aaf6ef0bf14d4208bb46a4ccb3ad (xxx)

I found hundreds, if not thousands of common words and their MD5 hashes — far too easily. Another reason to use hard-to-guess, non-dictionary passwords. Lucky for me, none of the MD5 hashes of my medium- or high-security passwords are in Google’s results yet. The MD5s for all my simple passwords (less than seven digits long) are all readily available.

This is dåmn scary.

It is Thanksgiving morning and I am slightly busy in preparing minor side dishes to take to my parents; this year the turkey is not my responsibility. The festivity does, however, remind me of last year’s turkey that I prepared at home in just under two hours, thanks to a holiday recipe from Safeway (aka Vons). Very fast — no joke!

The secret is a properly thawed turkey, the right pan, high heat, and good fan-powered ventilation (which we lacked so I had to put up with a fair amount of smoke in the kitchen).

1. Prepare the turkey. Remove the trusses holding the legs together. Remove giblets (for those not in the know, it’s the bag of extra turkey parts found inside the turkey) and trim off all excess fat around the neck and the body cavity. Rinse the turkey inside and out with warm water, patting it dry with paper towels.
2. Get the turkey pan-ready. Rub all of the turkey skin with extra virgin olive oil. Sprinkle the underside of the bird with salt and pepper. Place the turkey breast up on a V-shaped wire rack in a large 13×16 roasting pan. Salt and pepper the top. Forcibly fold the wing tips completely under the turkey, making sure they do not extend beyond the rim of the pan. Cap the tips of each drumstick with aluminum foil. Do not add stuffing. Make sure the neck and body cavity remains clear and open in order to properly cook the turkey from the inside, necessary due to the rapid cooking time.
3. Cook the bird! Set the pan on the lowest rack of a preheated, 475-degree oven. Do not use convection heat. Cooking times: 10-13 lbs = 1 hr; 13-18 lbs = 1 1/2 hrs; 18-22 lbs = 1 3/4 hrs; 22-24 lbs = 2 hrs. Start checking the bird every ten minutes at least fifteen minutes before the appropriate time listed above. If the turkey breast starts getting too dark, cover the dark areas with aluminum foil. Once the internal temperature reaches 160 degrees, remove the turkey from the oven and let it rest on the counter loosely covered in foil for at least 30 minutes before carving.

Inexplicably breaking with holiday tradition, my mother has prepared rice as a side dish and cake for dessert, so I’m off to my kitchen to quickly peel and dice potatoes for easy preparation in their kitchen later this afternoon. My homemade cranberry compote (a new variation this year) is cooling in the refrigerator, the pecan pie has been purchased, and the appetite is beginning to grow.

Happy Thanksgiving to all! (And an even happier birthday to my dear friend, Monica!)

While moving from one web hosting provider to another, I came across a server log that showed a list of failed login attempts, detailing seven days of attempted break-ins near the end of this last September. Fortunately, my password is reasonably strong, but it could be a lot better.

Of the two dozen or more offending hosts, three of them collectively attempted more than 25,000 attacks. Most of the rapid-firing attacks lasted only a few minutes.

• vivio.treda.com.tr (Turkey; 1,925 attacks)
• 193.0.81.42 [fizyk2.fuw.edu.pl] (Poland 11,239 attacks)
• 221.215.127.171 (China; 12,155 attacks)

Hackers frequently perform dictionary attacks on sites, using readily downloaded lists of commonly known weak passwords, such as admin, 1234, password, abc123, p@$$w0rd, asdf, qwerty, aaaa, and other easily guessed passwords. According to a recent study, 8% of all passwords in use today are a common word found in the dictionary followed by a “1”. With an abundance of word lists available online, dictionary attacks are often very successful. And fast.

I wasn’t too worried about the break-in attempts, because my login password for that website was seven random digits long — somewhat secure, considering that it is not a word contained in any dictionary and had both letters and numbers. But if someone where to obtain a hash of that password, modern computers capable of generating 3 million passwords a second could easily hunt offline through the 78.3 billion combinations (26 letters, 10 numbers, 7 digits = 36^7) in less than eight hours.

Choosing Strong Passwords

How do you choose a strong password to help foil the attackers?

• Use the entire keyboard, not just the most common characters. Passwords should contain a mix of upper and lower case letters, numerals, special characters, and punctuation. Unfortunately, not all websites allow passwords to contains punctuation or other special characters.
• Your password must be at least 8 characters long (it should be at least 10, and longer is even better). Even passwords with fewer than 15 digits have their own vulnerabilities. Each character that you add to your password will exponentially increase the protection it provides.
• Don’t base the password on any personal information (dates, pets, addresses, kid’s names, cities, jobs, schools, ex-girlfriends, cars, etc.) or on any word in any dictionary in any language.
• Don’t write the actual password down. My one exception to this rule is print a copy of banking, financial, and computer passwords for storage in a safety deposit box at the local bank. Instead, develop a mnemonic for remembering complex passwords. The mnemonic should be created in such a way as to be safe to write down.
• Don’t otherwise tell your password to anyone. Ever.

Check the strength of your password with an online checker such as Microsoft’s JavaScript Password Checker. Don’t worry, using a password checker on the website of a reputable company doesn’t usually transmit your password over the Internet, only your JavaScript-enabled browser sees it. A word of warning: presented under the guise of providing a free service to the community, password checkers on unknown, remote websites might just be collecting passwords for later use…

In the meantime, I’ve taken my own advice. My passwords to access my web server and my banking websites are now between 15 and 20 digits long. That should continue to keep the bad guys out for the next sixty-four quintillion years.