South African developer Evan Knowles recently posted details about the passwords from a Government Communications and Information Systems (GCIS) database that Anonymous hackers leaked online.
The hackers said they attacked the GCIS server as part of Operation Africa, or #OpAfrica, which is about “a disassembly of corporations and governments that enable and perpetuate corruption on the African continent”.
Anonymous said #OpAfrica will also focus on the issues of child labour and Internet censorship in Africa.
Names, phone numbers, e-mail addresses, and hashed passwords of over 1,000 government employees were leaked in the data dump.
The State Information Technology Agency was asked about the hack, but has not provided comment.
However, it is understood that the hackers gained access to an old GCIS portal not widely used, which contained outdated information. The vulnerability has been tracked down and closed.
Knowles said that of the 1,471 passwords from the GCIS data Anonymous dumped, it was trivial to crack 1,116 of them.
He found that the passwords were hashed using the MD5 function without salt.
Analysing the passwords, Knowles highlighted the following statistics:
- 628 passwords (42.7%) were already in plain text and did not need to be cracked.
- 27.1% of these known passwords contained the word “password”.
- 2.7% of known passwords were accompanied by an email address.
- Some passwords were – or contained – the user’s first name, last name, or user name.
After running some simple cracks against the remaining 843 passwords (and getting 488 of them), Knowles said he found the following:
- 25.2% of users had passwords that were identical to their first name.
- Out of the 1,116 passwords cracked, there were only 549 unique passwords.
- 9 passwords were only 1 character long.
- 53.1% of passwords failed the basic test of containing at least one number and being 6 characters long.
- In total, 29.8% of passwords contained the word “password”.
The top 10 passwords in the GCIS dump were: