Stratfor's password paucity

Researchers studying the passwords exposed by the Christmas-day attack on the security firm Stratfor Global Intelligence say that many of the passwords have turned out to be "simple and easy to decode."

That assessment comes from Utah Valley University's Kevin Young, area IT director and an adjunct professor who teaches information security.

Using 120 computers, researchers at the university are decoding the encrypted passwords, which were revealed by a group purporting to be the AntiSec branch of Anonymous.

The story comes from PCWorld's Jeremy Kirk, who goes on to describe the weaknesses Young has found thusfar in short, simple passwords and in the MD5 hashing algorithm Stratfor employed to secure them:

Rather than store passwords in clear text, which is considered dangerous, Stratfor stored a cryptographic representation of victims' passwords called an MD5 hash, generally considered a wise security practice. Young set up the 120 computers in order to decode the MD5 password hashes released by the hackers.

With modest computing power and password cracking programs, many of those MD5 hashes can be decoded into their original password. The simpler and shorter the password, the faster it can be decoded.

While MD5 is still a widely used cryptographic hash function, it's not perfect. Design flaws were found as early as 1996, and US-CERT has since said that the function "should be considered cryptographically broken and unsuitable for further use." Most US government applications now require the SHA-2 family of hash functions.

Of course, as Young pointed out to Kirk, what makes the imperfect hashing scenario particularly worrisome is that the computing power employed by the university pales in comparison to what a nation state can throw at a decryption target.

According to several media reports, Anonymous late last month released two batches of account information on 860,000 Stratfor subscribers.

Those subscribers include many officials who are central to the country's financial system, holders of intellectual property, and/or instrumental to the United States's national defence.

Given that Stratfor analyses national and international affairs, it counts among its clientele hundreds of US intelligence, law enforcement and military officials, including the US State Department; international banks such as Bank of America and JP Morgan Chase; and tech companies such as IBM and Microsoft.

Anonymous revealed email addresses, names and credit card numbers belonging to some 75,000 customers, including former US Vice President Dan Quayle and former US Secretary of State Henry A. Kissinger.

As Kirk points out, the credit card data is of ephemeral value to criminals. It's the email addresses and cracked passwords that could enable malicious actors to identify some of Stratfor's subscribers and to potentially impersonate them in cyberspace.

Young told Kirk that he's decoded more than 160,000 Stratfor passwords, with many of the weak passwords belonging to those in organisations such as the US Marine Corps, where the creation of a safe password should be well-understood and well-implemented.

Time for a reminder on how to create a safe password. In a nutshell:

  • Use a minimum of eight or nine characters.
  • Mix upper- and lower-case letters.
  • Use numbers and/or punctuation.
  • Never use the same password twice.

You can Frankenstein yourself a delightfully ungainly beast this way. An example: One of my previous passwords is Tb=0tS2!

How did I ever remember it? That nonsense string contains the first letters of a sentence in which I've swapped the first letter of each word for the entire word, thus foiling brute-force dictionary decryption.

Lisa Vaas is a technology writer for Sophos, see her profile and other articles here

More from Business Spectator