 | |
 | |
Type of site | Avatar hosting |
|---|---|
| Owner | Automattic |
| Created by | Tom Preston-Werner |
| URL | gravatar.com |
| Commercial | Yes |
| Registration | Optional |
Gravatar (a portmanteau of globally recognized avatar) is a service for providing globally unique avatars and was created by Tom Preston-Werner. Since 2007, it has been owned by Automattic, having integrated it into their WordPress.com blogging platform.
On Gravatar, users can register an account based on their email address, and upload an image of their choice to be associated with that email address. Gravatar plugins are available for popular blogging software; when the user posts a comment on such a blog that requires an email address, the blogging software checks whether that email address has an associated avatar at Gravatar. If so, the Gravatar is shown along with the comment. Gravatar support is provided natively in WordPress as of v2.5 [1] and in web based project management application Redmine beginning with version 0.8. [2] Support for Gravatar is also provided via third-party modules for web content management systems such as Drupal and MODX. [3] [4]
A user's profile data is available in a number of metadata standards, including hCard, JSON, XML, PHP, and vCard as well as via QR codes. The raw data formats (JSON, XML, and PHP) use the Portable Contacts standard. [5]
A Gravatar image can be up to 2048 pixels wide, is always square and is displayed at 80 by 80 pixels by default. [6] If the uploaded avatar is larger or smaller, the avatar is scaled appropriately. Each Gravatar is rated with an MPAA-style age recommendation, allowing webmasters to control the content of the Gravatars displayed on their website.
Webmasters can also configure their system to automatically display an Identicon when a user has no registered Gravatar.
For some time, the Gravatar service remained unmaintained. The maker became busy with working on a new version of the service, as Gravatar's popularity grew and more bandwidth was required. On 16 February 2007, [7] "Gravatar 2.0" was launched. Besides an improved server script, users also noticed other improvements, such as being able to crop and use an image already hosted on the web. Support for two gravatars per account was added, between which the user can easily switch. "Gravatar Premium" was also launched, allowing unlimited email addresses and Gravatars per account.
On 11 June 2007, Tom Preston-Werner announced that 32,000 new users had signed up since the launch of Gravatar 2.0. [8]
On 18 October 2007, Automattic acquired Gravatar. [9] After doing so, they offered all previously paid services at no cost, improved server response time,[ better source needed ] and refunded those who had recently paid for service. [10]
Matt Mullenweg announced on The Big Web Show on 2 December 2010 that Gravatar was serving approximately 20 billion images per day. [11]
Gravatars are loaded from the Gravatar web server, using a URL containing an MD5 hash of the associated email address. This method has, however, been shown to be vulnerable to dictionary attacks and rainbow table approaches.
In 2009, it was demonstrated that over 10% of the email addresses of a set of forum users could be determined from the Gravatar URLs combined with the forum user names. [12]
Subsequently, in 2013, security researcher Dominique Bongard presented that he was able to determine 45% of the email addresses used to post comments on a well-known French political forum by using Gravatar URLs and the open source Hashcat password cracking tool. [13]
Given that Hashcat uses graphics processing units to achieve high-efficiencies at cracking hashes, it has been proposed that as GPU technology and performance continues to improve, that Gravatar hashes will only become easier to crack over time as a result. [14] This is in addition to the fact that the MD5 hashing algorithm itself is severely compromised and unfit for cryptographic applications; the CMU Software Engineering Institute has recommended against its use in any capacity since the end of 2008. [15]
In October 2020, a technique for scraping large volumes of data from Gravatar was exposed by Carlo di Dato, a security researcher, after being ignored by Gravatar when he raised his concerns with them. 167 million names, usernames and MD5 hashes of email addresses used to reference users' avatars were subsequently scraped and distributed within the hacking community. 114 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data, with email account holders able to check whether their addresses have been leaked using Have I Been Pwned. [16] [17]
In cryptanalysis and computer security, password cracking is the process of guessing passwords protecting a computer system. A common approach is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password. Another type of approach is password spraying, which is often automated and occurs slowly over time in order to remain undetected, using a list of common passwords.
passwd is a command on Unix, Plan 9, Inferno, and most Unix-like operating systems used to change a user's password. The password entered by the user is run through a key derivation function to create a hashed version of the new password, which is saved. Only the hashed version is stored; the entered password is not saved for security reasons.
The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.
WordPress is a web content management system. It was originally created as a tool to publish blogs but has evolved to support publishing other web content, including more traditional websites, mailing lists and Internet forum, media galleries, membership sites, learning management systems, and online stores. Available as free and open-source software, WordPress is among the most popular content management systems – it was used by 43.1% of the top 10 million websites as of December 2023.
Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.
Matthew Charles Mullenweg is an American web developer and entrepreneur. He is known as a co-founder of the free and open-source web publishing software WordPress and the founder of Automattic.
In computer hypertext, a URI fragment is a string of characters that refers to a resource that is subordinate to another, primary resource. The primary resource is identified by a Uniform Resource Identifier (URI), and the fragment identifier points to the subordinate resource.
WordPress.com is a web building platform for self-publishing that is popular for blogging and other works. It is owned and operated by Automattic, Inc. It is run on a modified version of the WordPress software. This website provides free blog hosting for registered users and is financially supported via paid upgrades, "VIP" services and advertising.
Automattic Inc. is an American global distributed company which was founded in August 2005 and is most notable for WordPress.com, as well as its contributions to WordPress. The company's name is a play on founder Matt Mullenweg's first name and the word "automatic".
nofollow is a setting on a web page hyperlink that directs search engines not to use the link for page ranking calculations. It is specified in the page as a type of link relation; that is: <a rel="nofollow" ...>. Because search engines often calculate a site's importance according to the number of hyperlinks from other sites, the nofollow setting allows website authors to indicate that the presence of a link is not an endorsement of the target site's importance.
In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system, which is governed by Group Policy settings, for which different versions of Windows have different default settings.
Cain and Abel was a password recovery tool for Microsoft Windows. It could recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks were done via rainbow tables which could be generated with the winrtgen.exe program provided with Cain and Abel. Cain and Abel was maintained by Massimiliano Montoro and Sean Babcock.
An Identicon is a visual representation of a hash value, usually of an IP address, that serves to identify a user of a computer system as a form of avatar while protecting the user's privacy. The original Identicon was a 9-block graphic, and the representation has been extended to other graphic forms by third parties.
A suppression list is a list of suppressed e-mail addresses used by e-mail senders to comply with the CAN-SPAM Act of 2003. CAN-SPAM requires that senders of commercial emails provide a functioning opt-out mechanism by which email recipients can unsubscribe their email address from future email messages. The unsubscribed email addresses are placed into a "suppression list" which is used to "suppress" future email messages to that email address.
A single-page application (SPA) is a web application or website that interacts with the user by dynamically rewriting the current web page with new data from the web server, instead of the default method of loading entire new pages. The goal is faster transitions that make the website feel more like a native app.
BuddyPress is an open-source social networking software package owned by Automattic since 2008. It is a plugin that can be installed on WordPress to transform it into a social network platform. BuddyPress is designed to allow schools, companies, sports teams, or any other niche community to start their own social network or communication tool.
LastPass is a password manager application. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.
Schema.org is a reference website that publishes documentation and guidelines for using structured data mark-up on web-pages. Its main objective is to standardize HTML tags to be used by webmasters for creating rich results about a certain topic of interest. It is a part of the semantic web project, which aims to make document mark-up codes more readable and meaningful to both humans and machines.
The fediverse is a collection of social networking services that can communicate with each other using a common protocol. Users of different websites can send and receive status updates, multimedia files and other data across the network. The term fediverse is a portmanteau of "federation" and "universe".
ShinyHunters is a black-hat criminal hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.