02 March 2013 00:47:00 AEDT 1 MIN READ

"Hashed" ABC Passwords Cracked by Australian Security Researcher

 

The ABC is the latest high profile company to be hacked. The attacker's motive was allegedly related to ABC interviewing controversial Dutch anti-islam politician Geert Wilder. Ben Grubb, Deputy Technology Editor of The Age, has taken an in depth look at the incident to discover cracks in web security practices at the ABC. This news serves as a stark reminder just how important password security is.

More than half of the "hashed" passwords exposed in a breach of about 50,000 accounts on the ABC's website have been cracked by an Australian security researcher.

The database exposed early on Wednesday morning was a sub-domain site on abc.net.au that hosted content concerned with the highly popular Making Australia Happy TV series, which aired in late 2010. The website asked users to submit personal information to gather what made them happy.

Sydney security researcher Troy Hunt – who was able to crack 53 per cent of the exposed hashed passwords in 45 seconds – labelled in a blog post on Wednesday evening as "woefully inadequate" the type of cryptography used by the ABC to store the passwords. Had he spent more time cracking the passwords, Mr Hunt wrote, it would have yielded more results.

Hashing a password masks it by using a secure hash algorithm. But many types of hashes can be cracked using computers that use a dictionary of millions of passwords per second to crack, or guess, them.

The cracking comes as security website risky.biz cited strong circumstantial evidence suggesting that criminals may have had access to the database since October 2011.

That evidence has to do with a criminal on an underground forum asking hackers to crack the hashed password for the administrator admin@abc.net.au account used for the Making Australia Happy website. The cracked password [continue reading the full story on The Age]