Password Analysis of Journal News LoHud Subscriber Database Dump

As usual, I like to take sanitized lists (user account information stripped) of public password dumps and analyze them for password strength and patterns. Recently the subscriber database for Journal News, Lower Hudson Valley was allegedly hacked and was published publicly online.

The dump had user account passwords stored in MD5 hashes. So they needed to be cracked before they could be analyzed.

There were about 10,000 user accounts leaked in the dump. Many had duplicate password hashes, so the duplicates were removed. I took the password hashes that had not been cracked (some were already cracked in the dump) and ran them through an MD5 hash cracker. In a couple hours I was able to retrieve just over 85% of the passwords.

In effect there were 8,361 unique hashes. I was able to retrieve 7,148 in a fairly short amount of time. I then took the cracked passwords and ran them through Pipal, the password analysis program.

Here are the results from Pipal

Top 10 words and base words used:

Base Words

Very interesting as there are 10 passwords that are almost ALWAYS in the top ten and none of them were in this list. Okay, “password” was used as a base word, but other than that these are all new.

Let’s take a look at the password lengths:

Password Graph

Password Length 2 Password Length

A whopping 80% of the passwords were 8 characters or less, and over 50% of the passwords only used lowercase letters!

Character Set

A common practice is that users will use a word and stick a number or numbers on the end to “make it more secure”. About 25% of the passwords in this list used 3 or fewer numbers at the end of the password.

Last Digit Count

Last digit on end

Single Digit on end

And only a few passwords used the year in their password.

Top Ten Years

Overall the users in this case seemed to use very simple passwords – mostly lower case passwords with some numbers mixed in. Using long complex passwords would have made these passwords much harder to crack.

Increasing the password length and using a mix of upper and lower case letters, numbers and special characters dramatically increases the cracking times.

Newspaper that Posted Map of NY Gun Owners Hacked – Database Dumped

Gun Permit Map

In one of the most controversial moves in recent journalism history, Lower Hudson Journal News ( posted a map of NY pistol permit owners in two counties. Apparently that wasn’t enough and they tried to obtain gun owner information for additional counties. Well, allegedly the lohud site was hacked and their entire user database has been dumped and publicly released.

After the school shooting in Connecticut, it would seem that wanted to take the gun control issue into their own hands and publicly released three interactive Google maps with the names and addresses of LEGAL pistol permit owners in the Lower Hudson NY area. Just scrolling over the map would reveal permit owner’s names and addresses.

This sparked nationwide outrage as these were not criminals, but those who went through New York very strict procedures to legally obtain a NYS pistol permit.

You have judges, policemen, retired policemen, FBI agents — they have permits. Once you allow the public to see where they live, that puts them in harm’s way,” said Rockland County Clerk Paul Piperato.

Do you fools realize that you also made a map for criminals to use to find homes to rob that have no guns in them to protect themselves? What a bunch of liberal boobs you all are,” wrote Rob Seubert on the newspaper’s website.

In response, numerous bloggers have released the names, addresses, phone numbers and social media sites of several members of the Journal News editorial staff.

In a move that some see as hypocritical, the newspaper apparently hired gun toting armed guards to protect the Journal News office building after they received threatening e-mails.

Oddly enough, Journal News recently tried to obtain gun permit information for other counties, but were turned down by permit clerks.

Apparently, this seemed to be the straw that broke the camel’s back as hacktivists allegedly hacked the lohud website and publicly dumped the newspaper’s entire database. A Pastebin post by the user “Guest” lists a sample of the dump and including links to download the entire list.

lohud pastebin

The dumped database seems to include over ten thousand user accounts, including names, addresses, phone numbers, and account credentials. Password hashes are also present, and it appears that some had already been cracked.

Account emails listed included numerous public e-mail addresses, but also many company addresses. This is really bad as users often use the same password on numerous sites. If you have an account at, change your password now! And if you re-use your passwords make sure to change your passwords for all of your accounts.