Researcher: Many Stratfor Passwords Are Weak
At Utah Valley University, 120 computers are now working to decode encrypted passwords revealed by the hack of Stratfor Global Intelligence, one of the most significant data breaches of last year.
After the breach occurred over Christmas, the Utah researchers launched a project to study what kind of passwords people use and if they're complex enough to thwart all but the most determined hackers.
Hackers believed to be affiliated with Anonymous released the names, email addresses, credit-card numbers and encrypted passwords of people who have registered with Stratfor, a leading think tank based in Austin, Texas.
The data dump is significant due to Stratfor's high-end clientele, including many people in the U.S. military, government organizations such as the U.S. State Department, international banks including Bank of America and JP Morgan Chase and technology giants IBM and Microsoft.
While the credit-card data, some of which was outdated, might briefly profit cybercriminals, the email addresses and encrypted passwords are far more valuable to nation-states seeking to electronically infiltrate organizations over the long term.
Since the email addresses of hundreds of thousands of people were revealed, those people can be targeted by email with malicious software, said Kevin Young, area IT director and an adjunct professor who teaches information security at Utah Valley University.
The second major threat from the Stratfor breach is how many of the passwords were quite simple and easy to decode, he said. That's dangerous, given it is likely that some people will reuse the same password over and over on systems with sensitive information.
Rather than store passwords in clear text, which is considered dangerous, Stratfor stored a cryptographic representation of victims' passwords called an MD5 hash, generally considered a wise security practice. Young set up the 120 computers in order to decode the MD5 password hashes released by the hackers.
With modest computing power and password cracking programs, many of those MD5 hashes can be decoded into their original password. The simpler and shorter the password, the faster it can be decoded.
Young said he's been able to decode upwards of 160,000 passwords from Stratfor, many in organizations such as the U.S. Marine Corps who "should know better," Young said.
The passwords will not be released by Young for ethical reasons, but will be used as part of a study of trends in how people pick passwords and how resistant those passwords are to cracking attempts.
The tools that Young is using show how important it is for people to use complex passwords, or ones with at least eight or nine characters, a mix of upper- and lower-case letters along with numbers and even punctuation.
Young is using "John the Ripper" -- a well-known cracking application that can use a regular PC, and "oclhashcat," a program designed to use the accelerated calculating speeds of graphics processors. John the Ripper produces some eight to 10 billion passwords a second, while oclhashcat, using a graphics processor, can produce up to 62 billion combinations per second, he said.
Both tools calculate a MD5 hash from a word list, of which different permutations can be defined by the person trying to crack the password. Young also used password lists from other noted data breaches including Sony (17,000 passwords), Rockyou (14 million), PHPBB (278,000) and MySpace (36,000).
Password lists are useful, since there is a good chance that people will have already picked easy ones. Stratfor's data didn't disappoint, and Young found that many of its passwords were contained on the lists from other data breaches, such as "jasper10," "swordfish" and "green101."
Young said his team has just a small budget and will probably calculate possible lower-case passwords as long as eight characters. Beyond that, more computing power is needed, as just calculating all of the possible lower-case word combinations for a 10-character word starting with "A" would consist of some 2.2 TB of data, Young said. All of the permutations of a possible password combination is known as the "word size."
Nation-states would easily have the computing muscle. Young said his 120 computers are "nothing compared to what a concentrated attack from the NSA or China or North Korea could throw at this."
Send news tips and comments to firstname.lastname@example.org