Researcher: Many Stratfor passwords are weak

The preliminary results are not terribly surprising: Many passwords are considered simple and weak

At Utah Valley University, 120 computers are now working to decode encrypted passwords revealed by the hack of Stratfor Global Intelligence, one of the most significant data breaches of last year.

After the breach occurred over Christmas, the Utah researchers launched a project to study what kind of passwords people use and if they're complex enough to thwart all but the most determined hackers.

Hackers believed to be affiliated with Anonymous released the names, email addresses, credit-card numbers and encrypted passwords of people who have registered with Stratfor, a leading think tank based in Austin, Texas.

The data dump is significant due to Stratfor's high-end clientele, including many people in the U.S. military, government organizations such as the U.S. State Department, international banks including Bank of America and JP Morgan Chase and technology giants IBM and Microsoft.

While the credit-card data, some of which was outdated, might briefly profit cybercriminals, the email addresses and encrypted passwords are far more valuable to nation-states seeking to electronically infiltrate organizations over the long term.

Since the email addresses of hundreds of thousands of people were revealed, those people can be targeted by email with malicious software, said Kevin Young, area IT director and an adjunct professor who teaches information security at Utah Valley University.

The second major threat from the Stratfor breach is how many of the passwords were quite simple and easy to decode, he said. That's dangerous, given it is likely that some people will reuse the same password over and over on systems with sensitive information.

Rather than store passwords in clear text, which is considered dangerous, Stratfor stored a cryptographic representation of victims' passwords called an MD5 hash, generally considered a wise security practice. Young set up the 120 computers in order to decode the MD5 password hashes released by the hackers.

With modest computing power and password cracking programs, many of those MD5 hashes can be decoded into their original password. The simpler and shorter the password, the faster it can be decoded.

Young said he's been able to decode upwards of 160,000 passwords from Stratfor, many in organizations such as the U.S. Marine Corps who "should know better," Young said.

The passwords will not be released by Young for ethical reasons, but will be used as part of a study of trends in how people pick passwords and how resistant those passwords are to cracking attempts.

The tools that Young is using show how important it is for people to use complex passwords, or ones with at least eight or nine characters, a mix of upper- and lower-case letters along with numbers and even punctuation.

Young is using "John the Ripper" -- a well-known cracking application that can use a regular PC, and "oclhashcat," a program designed to use the accelerated calculating speeds of graphics processors. John the Ripper produces some eight to 10 billion passwords a second, while oclhashcat, using a graphics processor, can produce up to 62 billion combinations per second, he said.

Both tools calculate a MD5 hash from a word list, of which different permutations can be defined by the person trying to crack the password. Young also used password lists from other noted data breaches including Sony (17,000 passwords), Rockyou (14 million), PHPBB (278,000) and MySpace (36,000).

Password lists are useful, since there is a good chance that people will have already picked easy ones. Stratfor's data didn't disappoint, and Young found that many of its passwords were contained on the lists from other data breaches, such as "jasper10," "swordfish" and "green101."

Young said his team has just a small budget and will probably calculate possible lower-case passwords as long as eight characters. Beyond that, more computing power is needed, as just calculating all of the possible lower-case word combinations for a 10-character word starting with "A" would consist of some 2.2 TB of data, Young said. All of the permutations of a possible password combination is known as the "word size."

Nation-states would easily have the computing muscle. Young said his 120 computers are "nothing compared to what a concentrated attack from the NSA or China or North Korea could throw at this."

Send news tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

More about IBM AustraliaIBM AustraliaJP MorganMicrosoftMorganNSASony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place