December 9, 2016

Stratfor Site Still Down as Password Analysis Reveals Weaknesses

(LiveHacking.Com) – Stratfor.com, the website of global intelligence-analysing firm Strategic Forecasting Inc., remains offline after the Christmas Eve hacker attack. The site currently says that Stratfor is investigating the security breach and is working diligently to prevent it from ever happening again! Stratfor will only restore the website once its security review is finished.

In the mean time, the nearly one million records stolen by the hackers have been published online and The Tech Herald has examined the list of passwords hashes and started cracking them with surprising results. The passwords which were stored as MD5 hashes are cracked using a variety of methods including dictionary attacks and brute force attacks. Using the Hashcat password recovery tool (together with GPU processing) the Tech Herald team managed to crack 81,883 of the 860,160 published password hashes in under 5 hours. That’s 270 password per minute. Why? Due to the weaknesses in the password. And when I say weak, I mean stupidly weak. One account even had the password ****** – yes, six asterisks.

By just using a set of small word lists, made up of common passwords, names and words from the King James Bible, the teams decoded nearly 26,000 passwords in 7 minutes. The team then went on to use larger and larger word lists including words and phrases from other languages (like Russian and Italian), surnames and common keyboard combinations (eg. 123ewqasd).

Some of the interesting passwords found include:

  • 111222333444
  • 12345stratfor
  • blackberry
  • blockbuster
  • globalization
  • hello123
  • qwerty
  • password
  • mypassword1
  • stratfor
  • Password123
  • washington