09 January 2012

Stratfor Hack Shows Even Experts Use Awful Passwords

Credit: Strategic Forecasting, Inc.

Anonymous' massive year-end attack on the global-security consulting firm Stratfor showed that even top-tier executives at the world's largest corporations don't have a clue about the importance of a strong password.

On Dec. 24, Anonymous announced it had hacked into the Austin, Texas, think tank Strategic Forecasting Inc. (Stratfor) and stolen thousands of private email addresses and credit-card details from the firm's clients and recipients of its emailed newsletters, which include Boeing, Bank of America, Chevron, AIG, Sony, HSBC, Wells Fargo, Google, the United Nations and all four branches of the U.S. military.

Five days later, Anonymous published the list of more than 859,311 email addresses, 860,160 hashed passwords, 68,063 credit cards and 50,569 phone numbers, Identity Finder reported.

Stratfor offers free subscriptions to some of its emailed newsletters. Most of its products must be paid for, including in-depth reports and custom consultations.

Cybersecurity expert Johm Bumgarner told the Los Angeles Times that among the email addresses and credit-card numbers were some belonging to former U.S. Secretary of State Henry Kissinger and former U.S. Vice President Dan Quayle. (SecurityNewsDaily could not verify that assertion.)

Using a computer-automated password-cracking tool called Hashcat, the tech-news site the Tech Herald sifted through the leaked logs to see what type of passwords Stratfor's clients and subscribers used to keep their sensitive accounts secure. The results, Tech Herald security editor Steve Ragan wrote, were "both expected and pitiful."

Stratfor clients used easy-to-guess passwords such as, "123456, "11111111," and "123123." Other terribly insecure passwords: "111222333444," "12345678901," "administration," "123456789abc," "12345stratfor," "hello123," "lawenforcement" and "intelligence."

A batch of weak passwords played off the word itself, including, "password1234," "password101," "password123," "password122" and "Password999." In just under five hours, Haschat was able to crack 81,883 of the 860,160 leaked passwords.

"In the time it took to watch a movie, Hashcat smashed more than 80,000 passwords," Ragan wrote. "How many of those cracked passwords and leaked email accounts can be used to stage a larger attack on the organizations contained within the list? We're not going to test that, obviously, but someone will."

Ragan said Stratfor's online registration process recommends users create passwords at least six characters long, including at least one number. Out of all the passwords successfully deciphered, 23,440 consisted of six characters, 15,394 had seven characters and 21,080 had eight characters.

Security experts recommend building long, complex, case-sensitive passwords with multiple characters. Stratfor clients clearly did not heed that advice; only 1,411 of the leaked Stratfor passwords had 11-character passwords. The number of passwords dropped off even more as the character length increased: There were 627 people with 12-character passwords, and only 165 had passwords with 13 characters.

If you're wondering whether your password, email address or credit card information was exposed in Anonymous' attack on Stratfor, Dazzlepod has created a free search tool that will scour the leaked info for you and let you know if you need to worry.