Report: Analysis of the Stratfor Password Listby Steve Ragan - Jan 2 2012, 17:25
Analysis of the Stratfor Password List. (IMG: J.Anderson)
Just before the holiday weekend, as their final act of defiance in 2011, AntiSec supporters published nearly a million records taken during the Christmas Eve attack on Strategic Forecasting Inc. The Tech Herald has examined the list of 860,160 passwords hashes that were leaked, and the results of our tests were both expected and pitiful.
We’re sorry to report that the state of password management and creation is still living in the Dark Ages.
The statistical breakdown of the passwords below should shock no one. The usage of passwords that are easily guessed or cracked by the majority of people online is just expected these days. So while examining the Stratfor password list leaked by AntiSec, we were not surprised to see seriously weak passwords.
Yet, the people on the Stratfor list, and the companies or government agencies they represent, know better than to use such shoddy passwords. These organizations have the capacity to enforce strong password usage. The individuals representing these organizations cannot offer a single excuse as to why they selected such an impressive collection of horrible authentication credentials. They’re supposed to care about authentication and access, yet they use things like ‘qwerty’ for a password.
It doesn’t matter if their respective Stratfor accounts were viewed as nonessential or less valuable, because the general tone of the passwords selected by the users were personal in nature. This paints a picture of someone who is used to using a password that is easy to recall, which also means they are likely to reuse it.
So what do we mean by passwords that are personal in nature? Some of the cracked passwords leveraged names (‘Hanna,’ ‘Robert,’ or ‘James’), important dates (‘19871987,’ or ‘1996linda’), or personal markers such as ‘blink182’ or ‘1996ford.’
Password recycling, as in using the same password on multiple accounts online, has been proven a serious security risk. Such practices have led to several disastrous incidents in 2011. HBGary Federal, as well as several law enforcement agencies in Texas, Kansas, Arkansas, and Arizona, were each exposed in a humiliating fashion after recycled passwords allowed their attackers a stronger foothold.
Another risk centers on easily guessed passwords that are cracked in a matter of seconds. For example, 123456, 11111111, 123123, 123qwe, or 1q2w3e4r5t, were the first five passwords cracked when we started our little project. They were discovered in less than a second.
Stratfor’s registration process recommended six characters with at least one of them being a number when it came to the user’s password. We were not able to test the upper limits of Stratfor’s registration form, but we know that it allowed single character passwords on the low end, 23 characters at the top. In fact, of the 81,883 passwords we cracked, 49 of them were single characters, and 51 of them were 15-23 characters long.
So Stratfor's registration form did nothing to encourage strong passwords or prevent the worthless ones. This is surprising for a company that collects and shares intelligence, but they’re not alone with this practice. Many of the registration forms online are fickle. No two forms are alike when it comes to password acceptance, which leads to weak and recycled passwords.
As mentioned, of the 860,160 password hashes released, we cracked 81,883 of them. This should worry most Network Administrators and business leaders, because we only spent a total of 4 hours, 53 minutes, and 6 seconds cracking the list.
However, given that we were able to pull 81,883 passwords in a short amount of time, it’s clear that some government agencies and enterprise operations need to examine their password policies. Some of these passwords should never be allowed on a web application or network (example: ****** - yes six stars), and they should never be selected for general usage.
As this report is being written, we’re actually cracking the remainder of the items in the list. It’s a slow process. The system doing the cracking isn’t the most powerful on the block, but it does the job nicely. Once we’ve finished, or the week ends (whichever comes first), we’ll provide updates as needed.
To crack the Stratfor list, we used Hashcat, it’s a great tool honestly, and we feel it lives up to the claim of being the “world’s fastest CPU based hash cracker.” Yet, the word lists we fed to Hashcat are what got the ball rolling on our research.
This is something else that should make administrators and executives take note. We didn’t do anything advanced to obtain our list of passwords. We spent no money. There was no grid cracking or cloud hosting, just a desktop and about 400MB worth of words. Anyone can do this, it’s as simple as loading the hashes, word lists, starting the cracking process, and walking away.
In the time it took to watch a movie, Hashcat smashed more than 80,000 passwords. How many of those cracked passwords and leaked email accounts can be used to stage a larger attack on the organizations contained within the list? We’re not going to test that, obviously, but someone will.
Cracking 81,833 Passwords
To give an idea of what we used to crack the leaked password hashes, we’ll start by looking at the word lists and their effectiveness.
Small Word List
In total, we used 26 lists in the Small set (1KB – 896KB in size). We started with a list of common passwords, followed by a list of names (male and female) in Arabic and Iranian. From there we used a list with the names of people in Congress, words from the King James Bible, common 2 character passwords, words from the book 1984, Australian words and phrases, terms taken from the World Fact Book, various computer phrases and jargon, programming-based phrases, and previously cracked passwords from Facebook, MySpace, Singles.org, Hotmail, and Gawker.
Just over 7 minutes later, we had our first set of cracked passwords. In all, the Small Word List set yielded 25,690 passwords.
Medium Word List
In total, we used 11 lists in the Medium set (1,224KB – 7,798KB in size). These lists included words and phrases from the Dutch, Greek, Russian, Italian, and English languages, as well as a list of names (surnames, common first and last names, middle names, and obscure names). We included common 3 and 4 character passwords, passwords compromised after the phpBB breach, as well as a larger list of common passwords, and words taken from the Oxford English Dictionary.
This list took longer to obtain, 30 minutes and 15 seconds to be exact, but in the end it accounted for 21,933 additional cracked hashes.
Large Word List
In total, there were 5 lists in the Large set (12,738KB – 229,862KB in size). To make things faster, we ran Hashcat against a single item in the Large set at a time.
The first pass, against an even larger list of Common passwords, ran for 10 minutes and 37 seconds, for 5,765 passwords. The second pass, using a list of passwords compromised during the RockYou.com breach, ran for 1 hour, 21 minutes, and 33 seconds. This time, we were able to pull 21,395 passwords. The third pass, using an unsorted list of random words, was the lowest yielding pass. It took just over 7 minutes to obtain 416 passwords.
The fourth pass, using a list of common passwords generated with keyboard combinations (example: 123ewqasd), took just over 10 minutes to find an additional 1,683 passwords. The final pass, using a list of words taken from the English language version of Wikipedia, ran for 1 hour, 25 minutes, and 12 seconds, but only managed to produce 3,625 passwords.
At this point, we had only obtained 80,507 passwords. So we turned on Hashcat’s built-in rules feature and ran the Small Word List set against the remaining un-cracked password hashes. This added the final 1,326 passwords used in this breakdown. It took about an hour to get them.
Password Breakdown (analyzing the massive list)
Once we had a list of cracked passwords, it was time to examine them to see what patterns or obvious problems emerged. Below is a breakdown of the massive list, with what we feel is useful information for anyone from an IT professional to a curious reader. If you have questions about the data, or want to know something further, leave a comment and let us know.
Password Totals by Character Length
6 Characters 23,440
8 Characters 21,080
7 Characters 15,394
9 Characters 08,309
10 Characters 04,179
5 Characters 03,863
4 Characters 02,832
11 Characters 01,411
The top eight accounted for the majority of the cracked passwords. However, for the curious the list rounds out with; 12 Characters (627), 3 Characters (343), 13 Characters (165), 14 Characters (84), 2 Characters (53), 1 Character (49), 15 Characters (25), 16 Characters (13), 17 Characters (7), 20 Characters (3), 19 Characters (3), 18 Characters (2), and 23 Characters (1).
Common Passwords by Character Length
Once the passwords were sorted by character length, we went a step further to see what passwords were used the most, in addition to examining the passwords that were created with unique characters.
Top 10 lists are separated by those there were letters only, and those that begin with a number. In addition, the breakdown list shows the most common passwords that were created with special characters. Some lists did not have special character passwords. The actual breakdown report and cracked passwords are available on a case-by-case basis. Send an email to firstname.lastname@example.org to inquire about them.
[Update: Scribd keeps deleting the PDF file. Source images are below.]
As the images show, the problems associated with passwords reach beyond typical Internet users, and extend into government organizations and large enterprise operations. This isn’t a surprising revelation, but it’s sad and frightening all the same.
Organizations should consider their password policies, and audit them with tools such as Hashcat annually at the least.
Another option is to use a password manager such as LastPass or KeePass, which will generate strong passwords for you. The trick is to make it as difficult as possible. Length and complexity is the key.
When it comes to passwords, everything can be cracked eventually. Yet, it's hard to justify the use of even a single password out of the 81,833 we were able to crack. Many of them were just silly, there's no other way to put it. With that said, here's a selection of some of the more ridiculous ones from the cracked hashes.
************ 111222333444 112233qqwwee 1234567890qw 123456789abc
123456789kkk 1234567890$ 12345678901 1ntell1gence 12345stratfor
P@ss1234P@ss1234 PassWord123!@# Password0032 password1234
password1981 password2009 password9191 Password999. P@$$w0rd123
Password01! password101 Password12* password122 Password123
q1w2e3r4t5y6 qazwsx123123 qazwsx654321 qazwsxedc123 qwer1234qwer
qwerty123456 qwertyuiop00 administration basketball
blackwater blackberry blackwatch blackhawks blockbuster
blackberry123 Braveheart123 biochemistry conservative
Changeme12345 footballfreak generalpatton
globalaffairs globalization geopolitical hello123
help4me! hongkong islamofascist intelligence lawenforcement
liveandletlive mypassword1 opsec outstanding Overlord888
stephanopoulos super5collider surveillance4u thx1138thx1138
Due to the actions of Scribd, the images that were previously embedded are below.