Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Researcher: Many Stratfor passwords are weak

The preliminary results are not terribly surprising: Many passwords are considered simple and weak

At Utah Valley University, 120 computers are now working to decode encrypted passwords revealed by the hack of Stratfor Global Intelligence, one of the most significant data breaches of last year.

After the breach occurred over Christmas, the Utah researchers launched a project to study what kind of passwords people use and if they're complex enough to thwart all but the most determined hackers.

Hackers believed to be affiliated with Anonymous released the names, email addresses, credit-card numbers and encrypted passwords of people who have registered with Stratfor, a leading think tank based in Austin, Texas.

The data dump is significant due to Stratfor's high-end clientele, including many people in the U.S. military, government organizations such as the U.S. State Department, international banks including Bank of America and JP Morgan Chase and technology giants IBM and Microsoft.

While the credit-card data, some of which was outdated, might briefly profit cybercriminals, the email addresses and encrypted passwords are far more valuable to nation-states seeking to electronically infiltrate organizations over the long term.

Since the email addresses of hundreds of thousands of people were revealed, those people can be targeted by email with malicious software, said Kevin Young, area IT director and an adjunct professor who teaches information security at Utah Valley University.

The second major threat from the Stratfor breach is how many of the passwords were quite simple and easy to decode, he said. That's dangerous, given it is likely that some people will reuse the same password over and over on systems with sensitive information.

Rather than store passwords in clear text, which is considered dangerous, Stratfor stored a cryptographic representation of victims' passwords called an MD5 hash, generally considered a wise security practice. Young set up the 120 computers in order to decode the MD5 password hashes released by the hackers.

With modest computing power and password cracking programs, many of those MD5 hashes can be decoded into their original password. The simpler and shorter the password, the faster it can be decoded.

Young said he's been able to decode upwards of 160,000 passwords from Stratfor, many in organizations such as the U.S. Marine Corps who "should know better," Young said.

The passwords will not be released by Young for ethical reasons, but will be used as part of a study of trends in how people pick passwords and how resistant those passwords are to cracking attempts.

The tools that Young is using show how important it is for people to use complex passwords, or ones with at least eight or nine characters, a mix of upper- and lower-case letters along with numbers and even punctuation.

Young is using "John the Ripper" -- a well-known cracking application that can use a regular PC, and "oclhashcat," a program designed to use the accelerated calculating speeds of graphics processors. John the Ripper produces some eight to 10 billion passwords a second, while oclhashcat, using a graphics processor, can produce up to 62 billion combinations per second, he said.

Both tools calculate a MD5 hash from a word list, of which different permutations can be defined by the person trying to crack the password. Young also used password lists from other noted data breaches including Sony (17,000 passwords), Rockyou (14 million), PHPBB (278,000) and MySpace (36,000).

Password lists are useful, since there is a good chance that people will have already picked easy ones. Stratfor's data didn't disappoint, and Young found that many of its passwords were contained on the lists from other data breaches, such as "jasper10," "swordfish" and "green101."

Young said his team has just a small budget and will probably calculate possible lower-case passwords as long as eight characters. Beyond that, more computing power is needed, as just calculating all of the possible lower-case word combinations for a 10-character word starting with "A" would consist of some 2.2 TB of data, Young said. All of the permutations of a possible password combination is known as the "word size."

Nation-states would easily have the computing muscle. Young said his 120 computers are "nothing compared to what a concentrated attack from the NSA or China or North Korea could throw at this."

Send news tips and comments to jeremy_kirk@idg.com

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: IBM, IBM Australia, JP Morgan, Microsoft, Morgan, NSA, Sony

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: security, Stratfor, Utah Valley University
Latest Blog Posts
Whitepapers
  • BPM Basics for Dummies
    This book helps you understand what BPM is really all about. We wrote it because BPM is so useful and so powerful — and because it is also very accessible. We wrote this book for you — the individual. You may be a business manager, or an Information Technology practitioner, or maybe an ambitious career individual who wants to know what BPM is all about and how to apply it.
    Learn more »
  • Oracle Business Intelligence and Data Warehousing From Storage to Scorecard
    Getting actionable data in the hands of the right decision makers translates to positive business outcomes – whether that means competing more effectively, reducing operational costs, meeting compliance requirements, or anticipating changing market conditions. To get the right data to the right people at the right time, you need an integrated business intelligence and data warehousing solution that can provide fast access to reliable information and the tools to translate that insight into actions.
    Learn more »
  • Closing the print security gap - The market landscape for print security
    Today, many organisations continue to rely on printing to support business processes, particularly in the public sector, finance industry and legal profession. Whilst MFPs and printers have improved business productivity, they pose the same security risk as any networked device if left unprotected. With reported data breaches on the rise and growing industry and regulatory requirements around information security, businesses may suffer financial and reputational damage if they ignore the risks of unsecured printing. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.