Follow-up analysis of the Stratfor password list (Part 1)by Steve Ragan - Jan 16 2012, 13:00
Follow-up analysis of the Stratfor password list (Part 1).(IMG: J.Anderson)
Earlier this month, The Tech Herald examined list of 860,160 passwords that were compromised by supporters of the AntiSec movement during a Christmas Eve attack on Strategic Forecasting Inc. (Stratfor). This new report examines the list after further testing, and includes additional information.
For the record, Stratfor has since returned to the Internet in the wake of the attack. They’ve declared AntiSec’s actions an attempt at censorship, and deemed them a failure. Moreover, Stratfor admitted to their faults when it came to the questionable collection and storage of personal and financial information. At this point however, the past cannot be erased. Stratfor says they’ve learned from the incident and promised to strengthen controls moving forward. [Further Reading]
As mentioned previously, during the first round of testing the discovery of weak passwords was expected. Again, the state of password management and creation is still living in the Dark Ages. Further, we have only ourselves to blame, because when it comes to pure password-based security it looks as if technology has defeated the human element.
The initial research on the Stratfor password list had one goal overall - to see what a novice could obtain when cracking the list with nothing but the basics. After that, we wanted to know if the problems related to passwords, such as predictable length and structure, extended to the professional world. It does.
The initial test gave us 81,883 passwords in 4 hours, 53 minutes, and 6 seconds. The second test, spread out over the week following the initial report, gave us an additional 38,029 passwords. So now, armed with only a basic set of word lists and commonly used passwords, we managed to get 119,912 passwords out of the list. That’s just shy of 14% of the passwords taken from Stratfor.
Without stretching into the realm of FUD, business leaders and network management teams should be concerned by our results, because we’re not criminals - we’re geeks. This was just a fun bit of research, with no malicious goals, and yet we managed to get the results we did with minimum effort on our part.
How many of the compromised hashes would a motivated attacker crack? Any answer that doesn’t simply state ‘all of them’ is wrong. In fact, the complete Stratfor list (all 860,160 hashes) was cracked within days of its release by two separate vendors in order to promote their products and deliver pitches to the media and perspective customers.
Those vendors used rainbow tables, which are massive lists of hashes that are used to make matches. Cracking passwords with this method allows massive lists to be broken within hours. However, sometimes it can take massive amounts of space and computing power. We didn’t use rainbow tables for our test, because we wanted to keep things as basic as possible.
We used a single system instead. It’s an HP purchased at Wal-Mart during their 2011 Black Friday sale. Think about that for a second. A system worth less than $300.00 USD cracked 14% of the Stratfor list. With 3GB of RAM and an AMD processor, the system isn’t powerful by any stretch. But it’s so easy to crack passwords these days that you don’t need expensive hardware. Any system will do.
CPU AMD E-300 Dual-Core (1.30 GHz)
RAM PC3-8500 DDR3 (3GB total)
GPU AMD Radeon HD 6310 Integrated Graphics
OS Windows 7 Home Premium 64-bit
The tool used to crack the password hashes themselves was Hashcat, an amazing application supported by a great community of developers and users. Hashcat comes with several rule sets for GPU and CPU cracking. We used the same wordlists as before, and added the Best 64 and Password Pro rules, which squeezed the additional 38,000 passwords out. Yet, Hashcat is just one of the tools available on the Web password cracking. There are hundreds of them out there.
Hashcat GUI v0.4.6
Skill isn’t needed either. In fact, tools such as the one we used can be managed by anyone who takes the time to read the documentation. Case in point, a 10-year-old cracked some of the passwords on our list.
Using only the GUI-based inputs, he was able to load a word list, select the rules to use, initiate the GPU, and monitor the results. He cracked several hundred passwords until he got bored and wandered off to do other things, but not before he made a few comments about some of the passwords he noticed.
“Dad, why is he picking a password like that? That’s silly. Doesn’t he know that anyone who knows his email address will know his password too?”
The word lists used in the previous test are the same lists used in this test. The difference the between the two tests rests solely on the use of GPU cracking to speed things up, and the rules within Hashcat. Previously, we used word vs. word cracking. This is a classic dictionary attack, which allowed us to match ‘abc123’ with a MD5 hash exactly, or a slight variation such as ‘ABC123’ or ‘123ABC’.
Using the small word list as an example, which contains common passwords, as well as previously cracked passwords from Facebook, MySpace, Singles.org, Hotmail, and Gawker, in addition to a wide assortment of words and other jargon, we managed to pull 26,690 passwords in the first test. Using the rules from Hashcat, the second test delivered nearly 20,000 additional passwords. This gave us 46,671 passwords from the small list alone.
The medium word list (split between one larger list and six smaller ones) offered us 27,511 passwords. These lists consisted of common names, Italian, Greek, Russian, English, and Dutch words and phrases; three and four character passwords, and a list of passwords compromised during the phpBB breach.
The large word list, once again split into five separate sets, offered 23,200 passwords when the totals were combined. The large lists were comprised of a larger set of common passwords, passwords from RockYou.com, keyboard combination passwords, unsorted words and phrases, and a listing of words from the English language version of Wikipedia.
We noticed immediately that there were variations between the totals from the first test and the second test. For example, while the small list cracked far more passwords the second time around, the large list seemed to offer less. The reason for this comes from the cracking rules used during the second set. The rules offered more password combinations per dictionary word. Previously, the larger word lists were the source of these combinations. Since the MD5 hash was removed from the master list once it was recovered, the larger lists were less effective. Thus, they ended up returning fewer recovered hashes.
Since we focused on rules for the second test, it’s worth examining them. Hashcat’s rule system, when combined with solid source material such as the word lists, can quickly cut through basic password creation methodologies.
For example, there are rules that deal with character exchange. So the letter A will be replaced with the ‘@’ symbol or the number 4. A word from the dictionary could be modified to add the current year to the end (pass = pass2012). In this case, the years 1900-2012 were attempted. Likewise, digits were added to the beginning or end of a string (pass = pass1 or 1pass), and those were rotated from 0-9.
Case switching was another rule, turning the word ‘cat’ into ‘cAt’ or ‘caT’. Then you had removal rules, which would take ‘pass123’ from the dictionary in an attempt to make a match, and when that failed it would try ‘pass12’ or ‘pass13’ instead. There were rules that would shift characters as well. So ‘Michael’ could be attempted as ‘ichaelM’ or ‘iMchael’.
Rules are also designed to take the base word from the dictionary and replicate some or all of it. When that happens, abc123 would be modified as aabbcc112233, aabc123, abcc123, abcc1233, etc.
This list represents a small sample of the passwords that were cracked thanks to the aforementioned rule examples.
As before, once we had our cracked hashes, we examined the list to look for patterns and other data we felt was worth noting.
Password Totals by Character Length
Test 2 (Test 1)
08 Characters 32,978 (21,080)
06 Characters 28,586 (23,440)
07 Characters 25,659 (15,394)
09 Characters 13,100 (08,309)
10 Characters 07,391 (04,179)
05 Characters 03,911 (03,863)
04 Characters 02,938 (02,832)
11 Characters 02,863 (01,411)
Once again, the top eight character breakdown accounted for the majority of the cracked hashes. The next set of information comes from examining the list of 119,912 passwords in greater context. After the first report was published, we were asked about the commonality of proper nouns (names and places), as well as the breakdown of passwords by letter, in addition to character length.
Password Totals by Beginning Character
(Character) (Percentage – rounded)
Top 10 within the Top 5 by Beginning Character
Top 30 Proper Noun Passwords
We also calculated the number of times a variation of the word Stratfor was used as a password. Such a pattern can prove two things. First, it can prove that the password was a throwaway password. Yet, by that token, it can also be a sign of someone creating passwords based on the site that they are registering them for.
The Top 20 Stratfor Passwords
Finally, the images below represent the character breakdown and the top passwords within each set. Copies of the full report are available on a case-by-case basis, and can be obtained by emailing firstname.lastname@example.org. Also available are the word lists used during testing, and the cracked passwords.
In Part 2 of this report, we’ll examine some of the issues associated with authentication, as well as why some of the more popular methods used to create passwords, even those that are considered to be complex, are quickly becoming useless.