In what is arguably the largest-scale security breach so far in Sweden that didn’t come in the form of a parliamentary decision, a leak of 93,678 password-email combinations became public today. The accounts belong to all the top reporters, politicians, and bloggers in Sweden.
Somebody trolled the entire establishment with gleeful precision in using this data. William Petzäll, a high-profile defected Sweden Democrat (Sverigedemokrat) who is now an independent Member of Parliament, started tweeting an apparent revenge on his former party this morning.
Petzäll claimed that the leadership of the Sweden Democratic party (“SD”) had had access to most reporters’ and competing politicans’ email accounts for years, and that this was how they navigated their way into Parliament last year. To prove his point, he tweeted a number of MD5 password hashes and matching email addresses. As pretty much the entire political press was already paying attention to his tweets, this sent off an earthquake, followed by several confirmations dropping in quickly that the passwords were correct.
The biggest political scandal to ever hit northern Europe was escalating quickly.
My password was among the ones listed — I was specifically mentioned as a target by Petzäll in his tweets since I had been party leader for a competing party during the last two elections. Five seconds after this hit Twitter, my cellphone went crazy with all national media asking for comments, and I had not even had a chance to verify the MD5 sum tweeted. Once I had, I knew that this was indeed one of my passwords, but a weak garbage password that I had used years ago for untrusted, insensitive trash sites. No data had been leaked. None. From me, at least.
Others were not so lucky, and had practiced heavy password reuse between trusted, untrusted, sensitive, and insensitive systems. Reporters, in particular, were coming on in a steady stream, reporting that their email systems had been compromised all over the country and from all the major newspapers and TV stations.
Then, confusion hit for real. William Petzäll was discovered to be locked away on nonvoluntary drug rehabilitation without access to net connectivity.
So who had been tweeting the passwords, then? Had the SD leadership had access to the email accounts or not? Was it all just made up? Or not?
One plausible explanation was near at hand — it was not unrealistic that somebody was sitting on a pile of large passwords including Petzäll’s, who had been reusing it for his Twitter account, and this somebody had decided to troll the entire political establishment while sending everybody on a wild goose chase and panic all at once. Masterful trolling, indeed. Illegal as a kite is high, but still masterful.
It wasn’t until two hours later that the actual source of the leak surfaced — a blog ranking site known as Bloggtoppen (closed as of today) that had been breached through a SQL injection and had its users table dumped, with combinations of MD5’d passwords and emails, and uploaded to a hosting site. 93,678 rows of email/password combinations. This being a blog ranking site, pretty much everybody involved in the competition of building public opinion had accounts there: reporters, politicians, bloggers. Not your average XBox gamer: your average suit and tie running the country.
However, news of that leak and the complete dump was posted one full month ago to the board Flashback. Anybody could have discovered it in the meantime and just waited for the right moment to troll the living daylights out of every newsroom in the country.
The person or people using the leaked credentials to tweet in Petzäll’s name remain unknown, as does the extent to which decisionmakers and reporters have had data compromised.
What do we learn from this?
First, understanding of information hygiene is crucial. When you choose a password on a site, you give that password to the site’s administrator. People, not machines, stand behind every website. If you have used that password somewhere else, the administrator can now impersonate you there.
Therefore, as a user, always silo off passwords. You don’t need unique passwords for every site. But you do need unique passwords for every site where you can’t afford to be impersonated by somebody with hostile intent. In this case, Bloggtoppen was a site where somebody logged in as me would be able to download a blog badge which, when displayed, boosted my blog’s rankings. Yeah. Yawn. Big deal. But if I had used the same password as on the Pirate Party’s admin systems, an attacker would have had complete control of the party’s finances, projects, mail, membership and activist rosters, and communications. That would have been bad.
Second, as a website designer, defend in depth. Assume a breach will happen, and that the code you’re writing at the moment is the last piece of code standing. This was a SQL injection that gave read access to the database. Fair enough; even under strong security protocols, a user impersonated under a SQL injection will have read access. The passwords were MD5-hashed, which is a better practice than Sony had when hacked by LulzSec, but they were not salted. People having the MD5 hashes could, in many cases, find the cleartext password just by googling the hash. A much better practice would have been to salt the password with some small component, which would at least make it ungooglable. Better yet, make the salt user-dependent to follow proper security practices and disable the prospect of a rainbow attack.
Third, some very real whistleblowers were identified today due to bad security hygiene on behalf of reporters in a country with the strongest whistleblower protections in the world. This compromises those whistleblowers beyond repair, and could potentially put them in harm’s way. This shows very clearly that strong legislation is not enough to protect transparency and privacy against corruption; applied technology to protect sources is also necessary, combined with understanding of that technology.
Of those 93,678 persons i would be surprised if more than 50 know what a MD5 hash-sum is.
And as for the whistleblower-protection, no reporter using a connected Mac or Windows computer can guarantee anything, what so ever! Maybe their IT-department can guarantee something if, mind you, if they use firewalls based on code open for public scrutiny, but i guess that in most cases it is even worse in regarding firewalls than the office desktops.
Rick, whenever you get the chance to ask this, especially a person from the political left, do try it: In the IT-controlled digital knowledge society of tomorrow, who are going to be the trash-proletarians? Do not force an answer, give them time to think for them self, but tell them you will call back a week later.
But on the other hand – who the hell uses their $OMGSECURE password for a site like bloggtoppen. I found my own entry and hashed some throwaway passwords that I remember using, turns out it was my throwaway from a time when my secure password was still secure (the latter is now my throwaway).
I’m personally more annoyed with the fact that I just had a rise (little, but noticable) in Swedish-language spam emails due to this nice cache of real email addresses available for somebody to abuse.
Wait a minute:
locked away on nonvoluntary drug rehabilitation
He was, sorry, is a member of the swedish national parliament. Who ordered that non voluntary drug rehabilitation? I mean deep down i the corridors of power controlling Sweden as a nation. In a normal case i guess there would be quite some fuss about locking away a politician, now everyone just seem to take this for granted? WTF?? Something in this mess do stink a bit more than usual the more i think about it.
He was, sorry, is a member of the swedish national parliament. Who ordered that non voluntary drug rehabilitation?
Yes, we all know that people in the establishment here all join hands behind their backs. Law enforcement, politicians, corporates, all work “together for the common good” — more often than not meaning their good, or at the very least, the status quo.
The law used was LVM (“Law about incarceration of drug addicts”), but somebody made the decision to apply that law to a Member of Parliament, which is unprecedented to my knowledge.
Repeating your question: who was that somebody?
Please read this:
http://codahale.com/how-to-safely-store-a-password/
A uniquely salted hash (even SHA512) is NOT good enough to store passwords anymore. A single computer with 4 modern graphics cards can calculate over 5 billion hashes per second and you can rent a supercomputer for $300/hour and calculate 500 billion hashes per second. If the cracker knows the salt it’s as good as cleartext unless the password is long and complex.
The reason is that hash algorithms such as MD5, SHA1, SHA256, etc are designed to calculate a checksum of large amounts of data as fast as possible. Great for validating data integrity but bad for storing passwords.
The solution is to use the BCrypt algorithm instead of MD5/SHA. BCrypt is designed to be slow as hell (in computer terms) to calculate and it’s adaptive, meaning that you can configure how slow it should be. A BCrypt “cost” of 12 makes it 100000 times slower than MD5 to calculate but that amounts to only around 0,2 seconds on a modern server, which is fast enough for validating the password during login but damn inconvenient to bruteforce, even using dictionary attacks.
BCrypt implementations are available for almost all programming languages and it’s just as easy to use as MD5 or SHA1.
Spread the word!
I think a large majority of people will probably never understand basic password hygiene.
(With null entries and duplicates removed, the number of leaked password hashes is 91992.)
Uh oh… a plain MD5 hash of the password is not sufficient to conceal them. This list is almost as good as a list of passwords themselves!
Of the 70,882 unique passwords, I managed to get a list of 26,025 alphanumeric passwords in about 10 minutes, thanks to rainbow tables and one of the many sites on the Internet that let you query them (those sites can be found by searching Google for ‘reverse md5’).
Of those 26,025 alphanumeric passwords, here are the top 30 passwords used, by their frequency:
#1. 995 super123
#2. 141 hejsan
#3. 118 123456
#4. 111
#5. 102 hejhej
#6. 96 bajskorv
#7. 93 sommar
#8. 69 hemligt
#9. 60 blomma
#10. 54 dinmamma
#11. 52 cocacola
#12. 51 stockholm
#13. 50 johanna
#14. 45 kalleanka
#15. 44 sverige
#16. 43 mammapappa
#17. 43 losenord
#18. 43 apelsin
#19. 43 amanda
#20. 41 sommarlov
#21. 41 qwerty
#22. 40 hundar
#23. 39 smulan
#24. 38 password
#25. 38 lösenord
#26. 38 iloveyou
#27. 37 abc123
#28. 35 internet
#29. 34 mammamia
#30. 33 linnea
Interesting, a blank password is only #3, and the password “password” is #24.
Anyway, this leak demonstrates why you shouldn’t use the same password everywhere. I hope people have learned something here.
I would have expected #6 to be even higher..
For international readers — this was actually the top head line news item in a lot of places, such as public Swedish Radio etc.
…That is just sad. That password listing confirms everything I’ve ever dreaded about the average luserbase but…sad.
I will have to take some comfort in that the universe has fairly provided a LART in the form of a hacker.
It underscores a blistering point I’ve been trying to make for some time – as a company, never, ever put your trust in an out-of-the-box solution likely to be a big, back-lit target. Especially if you have information likely to attract pilferers – like a customer database.
Even a basic salt would be better than nothing.
Correction: “a blank password is only #3” should read “a blank password is only #4”. Apparently, I can’t read my own numbers. %-)
Number 17, “losenord” is “password” in Swedish.
Also, this xkcd comic gets the password complexity issue very elegantly accross:
http://xkcd.com/936/
A lot of excellent advice in just 6 frames.
And here’s a retort to that webcomic by somebody who knows what they’re talking about:
http://blog.agilebits.com/2011/08/better-master-passwords-the-geek-edition/
I disagree. I consider it vital to not reuse passwords at all, not even between “throwaway”, “trusted” etc. What was once your secure password suddenly becomes your insecure password (as indicated by one posted here) – maybe even years after – and if you practice password reuse you’ll have a hard time remembering all the places you now need to update
I’m a LastPass.com user. I have a unique password for every system I can access, no reuse anywhere. While that service is my password manager, they only have access to encrypted versions (and cannot decrypt) of my passwords. Myself I have access to them from all network connected systems, including my mobile.
In this case, depending on the password reuse and to which systems those passwords went, there should be a case of criminal negligence toward public officials. Not knowing proper password management is not an excuse.
Thanks for the tip. After having looked through their practices (and a praise by none other than Steve Gibson), I signed up.
I was very sceptical at first at the concept of giving somebody else all my passwords (how else would they sync across multiple computers?) but realized they actually seem to have done things Right.
So how do we know it’s actually you posting this? :/
You don’t, just as you wouldn’t otherwise either. In that aspect, nothing has changed, really.
…and now I keep expecting the followup: “U Mad, Bro?” complete with troll logo…
I’ve posted some slightly-corrected and somewhat more detailed statistics on my blog: https://www.dlitz.net/blog/2011/10/most-common-losenord/
I use parametric passwords. They are constructed of one base part that is always-the-same, and one part that is generated from the name of the site. For example, a password for falkvinge.net could be “Password123.FAL” while the password for aftonbladet.se would be “Password123.AFT”.
Such passwords have several advantages.
– You get a specific password for every site while only having to remember the base and how to generate the parameter.
– If the site administrator has bad intentions, you have not given them your password to any other site.
– Such passwords are not vulnerable to dictionary attacks.
– You can easily satisfy demands on capital letters, numbers and special characters by putting them in the base.
– Less important to use a long password, since the damage from having the password revealed is limited. You could use one short base for low-security sites and one long base for high-security sites.
If the administrator of falkvinge.net knows your password is “Password123.FAL”, he can figure out that your password for aftonbladet.se is “Password123.AFT”. This is not quite as bad as using the same password for every site, but it’s pretty close.
I hope that pelpet is aware of that and was just using the obvious passwords as an example, and is actually applying more transformations.
I choose an example which was very obvoius just to prove the point, but it’s easy to choose a more complex derivative of the site name.
For example, say that you substitute the first three letters for the following letter in the alphabet and append a 7 if it’s wovel.
f = g
a = b7
l = m
then choose a more complex base, like the first letters in “I enjoy reading Ayn Rand books.” = IerARb
now the password for falkvinge.net “IerARbgb7m”.
Now it’s not obvious for the site administrator that it’s a parametric password, it looks more like a generated password.
“Now it’s not obvious for the site administrator that it’s a parametric password, it looks more like a generated password.”
What happens when someone compromises two sites you have accounts on? (Not as hard as you would think.)
Also, you just wrote (permanently, in a searchable public forum) that you use parametric passwords, so that’s no longer something anyone needs to figure out.
The origin of this story and the guilt-by-association on the fly against the badass paria SD party smells funny beyond resonable belief, so let’s look for the possible culprits at the outcome of it instead (I’m surprised you haven’t yourself already Rick):
This single week due to this story millions of concerned Swedes are changing their old passwords, on many different systems per person, many of them from the before-the-FRA-law era (i.e illegal for the FRA to have even if they already had them) to new passwords that the FRA can legally have and use. I repeat, millions of changes in one single week, most of them for services on servers based in different countries (i.e the transmissions pass the border).
If I was in charge of the passwords database at the FRA I would be as happy as a (what’s the american word for “lärka”?) because this must be the best week ever for him/her!
Something along those lines have passed my thoughts too, or maybe something in line with “Problem Reaction Solution”, but in that case we have to wait just a little bit longer until that “solution” is presented that many “important” will be asking for anyway.
I’m afraid I don’t understand your reasoning. Would this be an attack specifically against web sites written by a complete idiot, where you log in over HTTPS but the form for changing your password uses unencrypted HTTP? Because in all other cases, If someone can sniff your password when you change it, they can also sniff it every time you log in.
You shall never register an account on a website that won’t let you use HTTPS, unless everything you send to that site will be published anyway and it doesn’t matter if someone impersonates you on that site.
Wow there’s an example of brand loyalty – #11 – Cocacola. Pespi is nowhere to be seen!
Any real web developer AES encrypts all passwords so that they have a level of plausible deniability and only allows CHANGING of passwords and NEVER asks for passwords or viewing of decrypted passwords.
This is the same for data such as SSN’s/TIN’s and other sensitive ID’s or information that you do not
want to get into the wrong hands.
The fact that these lunkheads allowed for the storage of this information in an unencrypted fashion so that it could be easily pulled up like this is just stupid.
If a web developer AES encrypts passwords I would consider him/her to be wholly incompetent and make sure to not use a service they’ve developed.
What you want to do is to hash the passwords, with a suitably strong salt and preferably that salt should be unique per account as well.
[…] OMGWTF: Passwords of 93,000 Politicians, Reporters, Bloggers Leaked – Falkvinge on Infopolicy. All content is © 2011 by vladimir moshnyager's. All rights […]
[…] Party founder Rick Falkvinge was shocked at the scope of the breach. Falkvinge admitted one of his passwords was leaked, adding that it could have been much, much […]
[…] Passwords of 93,000 Politicians, Reporters, Bloggers Leaked Falkvinge on Infopolicy […]
[…] En medio de un escándalo político en Suecia 93,000 contraseñas de correo de políticos, periodistas y bloggers han sido hecho públicos para el que quiera. […]
The link to the file on the hosting site is broken.
[…] a certificate of authentication. Something about this sounds like an accident waiting to happen.Passwords of 93,000 Politicians, Reporters, Bloggers Leaked Falkvinge on InfopolicyConfusing tale, but huge implications.National Security Agency helps banks battle hackers […]
[…] Passwords of 93,000 Politicians, Reporters, Bloggers Leaked […]
[…] bloggtoppen.se […]
I do not know if this expression exists in english: a happening that looks like a thought. The article (in swedish) says basically that a coming law is being prepared in the EU that will make it a criminal act to not inform when sensitive information has leaked out. I think this is something that Christian, HAX, Erik and whats-her-name need to look at a bit closer, it could be a vessel for something quite nasty.
BTW. Rick (OT). You have taken away the little frame with latests comments, i found that very useful to be able to follow up on comment-conversations . I bet that change has led to a bit of decrease in traffic. You know, people want a piece of the action, and now it has become harder to see if there is any action to take part in. All those “featuredPost nopadding-top” and those connection to evil fecesbook has also made your blog painfully slow to load and thus makes every visit a bit less pleasant.
I pay a quick visit everyday a few web sites and blogs to read content, but this blog offers quality based articles.
This piece of writing will assist the internet visitors for
setting up new website or even a blog from start to end.
Inspiring quest there. What occcurred after? Goood luck!