Follow-up analysis of the Stratfor password list (Part 1).(IMG: J.Anderson)
Earlier this month, The Tech Herald examined list of 860,160 passwords that were compromised by supporters of the AntiSec movement during a Christmas Eve attack on Strategic Forecasting Inc. (Stratfor). This new report examines the list after further testing, and includes additional information.
For the record, Stratfor has since returned to the Internet in the wake of the attack. They’ve declared AntiSec’s actions an attempt at censorship, and deemed them a failure. Moreover, Stratfor admitted to their faults when it came to the questionable collection and storage of personal and financial information. At this point however, the past cannot be erased. Stratfor says they’ve learned from the incident and promised to strengthen controls moving forward. [Further Reading]
As mentioned previously, during the first round of testing the discovery of weak passwords was expected. Again, the state of password management and creation is still living in the Dark Ages. Further, we have only ourselves to blame, because when it comes to pure password-based security it looks as if technology has defeated the human element.
The initial research on the Stratfor password list had one goal overall - to see what a novice could obtain when cracking the list with nothing but the basics. After that, we wanted to know if the problems related to passwords, such as predictable length and structure, extended to the professional world. It does.
The initial test gave us 81,883 passwords in 4 hours, 53 minutes, and 6 seconds. The second test, spread out over the week following the initial report, gave us an additional 38,029 passwords. So now, armed with only a basic set of word lists and commonly used passwords, we managed to get 119,912 passwords out of the list. That’s just shy of 14% of the passwords taken from Stratfor.
Without stretching into the realm of FUD, business leaders and network management teams should be concerned by our results, because we’re not criminals - we’re geeks. This was just a fun bit of research, with no malicious goals, and yet we managed to get the results we did with minimum effort on our part.
How many of the compromised hashes would a motivated attacker crack? Any answer that doesn’t simply state ‘all of them’ is wrong. In fact, the complete Stratfor list (all 860,160 hashes) was cracked within days of its release by two separate vendors in order to promote their products and deliver pitches to the media and perspective customers.
Those vendors used rainbow tables, which are massive lists of hashes that are used to make matches. Cracking passwords with this method allows massive lists to be broken within hours. However, sometimes it can take massive amounts of space and computing power. We didn’t use rainbow tables for our test, because we wanted to keep things as basic as possible.
We used a single system instead. It’s an HP purchased at Wal-Mart during their 2011 Black Friday sale. Think about that for a second. A system worth less than $300.00 USD cracked 14% of the Stratfor list. With 3GB of RAM and an AMD processor, the system isn’t powerful by any stretch. But it’s so easy to crack passwords these days that you don’t need expensive hardware. Any system will do.
CPU AMD E-300 Dual-Core (1.30 GHz)
RAM PC3-8500 DDR3 (3GB total)
GPU AMD Radeon HD 6310 Integrated Graphics
OS Windows 7 Home Premium 64-bit
The tool used to crack the password hashes themselves was Hashcat, an amazing application supported by a great community of developers and users. Hashcat comes with several rule sets for GPU and CPU cracking. We used the same wordlists as before, and added the Best 64 and Password Pro rules, which squeezed the additional 38,000 passwords out. Yet, Hashcat is just one of the tools available on the Web password cracking. There are hundreds of them out there.
Hashcat GUI v0.4.6
Skill isn’t needed either. In fact, tools such as the one we used can be managed by anyone who takes the time to read the documentation. Case in point, a 10-year-old cracked some of the passwords on our list.
Using only the GUI-based inputs, he was able to load a word list, select the rules to use, initiate the GPU, and monitor the results. He cracked several hundred passwords until he got bored and wandered off to do other things, but not before he made a few comments about some of the passwords he noticed.
“Dad, why is he picking a password like that? That’s silly. Doesn’t he know that anyone who knows his email address will know his password too?”
The word lists used in the previous test are the same lists used in this test. The difference the between the two tests rests solely on the use of GPU cracking to speed things up, and the rules within Hashcat. Previously, we used word vs. word cracking. This is a classic dictionary attack, which allowed us to match ‘abc123’ with a MD5 hash exactly, or a slight variation such as ‘ABC123’ or ‘123ABC’.
Using the small word list as an example, which contains common passwords, as well as previously cracked passwords from Facebook, MySpace, Singles.org, Hotmail, and Gawker, in addition to a wide assortment of words and other jargon, we managed to pull 26,690 passwords in the first test. Using the rules from Hashcat, the second test delivered nearly 20,000 additional passwords. This gave us 46,671 passwords from the small list alone.
The medium word list (split between one larger list and six smaller ones) offered us 27,511 passwords. These lists consisted of common names, Italian, Greek, Russian, English, and Dutch words and phrases; three and four character passwords, and a list of passwords compromised during the phpBB breach.
The large word list, once again split into five separate sets, offered 23,200 passwords when the totals were combined. The large lists were comprised of a larger set of common passwords, passwords from RockYou.com, keyboard combination passwords, unsorted words and phrases, and a listing of words from the English language version of Wikipedia.
We noticed immediately that there were variations between the totals from the first test and the second test. For example, while the small list cracked far more passwords the second time around, the large list seemed to offer less. The reason for this comes from the cracking rules used during the second set. The rules offered more password combinations per dictionary word. Previously, the larger word lists were the source of these combinations. Since the MD5 hash was removed from the master list once it was recovered, the larger lists were less effective. Thus, they ended up returning fewer recovered hashes.
Since we focused on rules for the second test, it’s worth examining them. Hashcat’s rule system, when combined with solid source material such as the word lists, can quickly cut through basic password creation methodologies.
For example, there are rules that deal with character exchange. So the letter A will be replaced with the ‘@’ symbol or the number 4. A word from the dictionary could be modified to add the current year to the end (pass = pass2012). In this case, the years 1900-2012 were attempted. Likewise, digits were added to the beginning or end of a string (pass = pass1 or 1pass), and those were rotated from 0-9.
Case switching was another rule, turning the word ‘cat’ into ‘cAt’ or ‘caT’. Then you had removal rules, which would take ‘pass123’ from the dictionary in an attempt to make a match, and when that failed it would try ‘pass12’ or ‘pass13’ instead. There were rules that would shift characters as well. So ‘Michael’ could be attempted as ‘ichaelM’ or ‘iMchael’.
Rules are also designed to take the base word from the dictionary and replicate some or all of it. When that happens, abc123 would be modified as aabbcc112233, aabc123, abcc123, abcc1233, etc.
This list represents a small sample of the passwords that were cracked thanks to the aforementioned rule examples.
As before, once we had our cracked hashes, we examined the list to look for patterns and other data we felt was worth noting.
Password Totals by Character Length
Test 2 (Test 1)
08 Characters 32,978 (21,080)
06 Characters 28,586 (23,440)
07 Characters 25,659 (15,394)
09 Characters 13,100 (08,309)
10 Characters 07,391 (04,179)
05 Characters 03,911 (03,863)
04 Characters 02,938 (02,832)
11 Characters 02,863 (01,411)
Once again, the top eight character breakdown accounted for the majority of the cracked hashes. The next set of information comes from examining the list of 119,912 passwords in greater context. After the first report was published, we were asked about the commonality of proper nouns (names and places), as well as the breakdown of passwords by letter, in addition to character length.
Password Totals by Beginning Character
(Character) (Percentage – rounded)
Top 10 within the Top 5 by Beginning Character
Top 30 Proper Noun Passwords
We also calculated the number of times a variation of the word Stratfor was used as a password. Such a pattern can prove two things. First, it can prove that the password was a throwaway password. Yet, by that token, it can also be a sign of someone creating passwords based on the site that they are registering them for.
The Top 20 Stratfor Passwords
Finally, the images below represent the character breakdown and the top passwords within each set. Copies of the full report are available on a case-by-case basis, and can be obtained by emailing [email protected]. Also available are the word lists used during testing, and the cracked passwords.
In Part 2 of this report, we’ll examine some of the issues associated with authentication, as well as why some of the more popular methods used to create passwords, even those that are considered to be complex, are quickly becoming useless.
From our Other Sites
This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]
Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.
McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]
Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.
This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]
This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.
This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.