Researchers studying the passwords exposed by the Christmas-day attack on the security firm Stratfor Global Intelligence say that many of the passwords have turned out to be “simple and easy to decode.”
That assessment comes from Utah Valley University’s Kevin Young, area IT director and an adjunct professor who teaches information security. Using 120 computers, researchers at the university are decoding the encrypted passwords, which were revealed by a group purporting to be the AntiSec branch of Anonymous.
The story comes from PCWorld’s Jeremy Kirk, who goes on to describe the weaknesses Young has found thusfar in short, simple passwords and in the MD5 hashing algorithm Stratfor employed to secure them:
Rather than store passwords in clear text, which is considered dangerous, Stratfor stored a cryptographic representation of victims' passwords called an MD5 hash, generally considered a wise security practice. Young set up the 120 computers in order to decode the MD5 password hashes released by the hackers.
With modest computing power and password cracking programs, many of those MD5 hashes can be decoded into their original password. The simpler and shorter the password, the faster it can be decoded.
While MD5 is still a widely used cryptographic hash function, it’s not perfect. Design flaws were found as early as 1996, and US-CERT has since said that the function “should be considered cryptographically broken and unsuitable for further use.” Most U.S. government applications now require the SHA-2 family of hash functions.
Of course, as Young pointed out to Kirk, what makes the imperfect hashing scenario particularly worrisome is that the computing power employed by the university pales in comparison to what a nation state can throw at a decryption target.
According to the LA Times, Anonymous late last month released two batches of account information on 860,000 Stratfor subscribers.
Those subscribers include many officials who are central to the country’s financial system, holders of intellectual property, and/or instrumental to the United States’s national defense.
Given that Stratfor analyzes national and international affairs, it counts among its clientele hundreds of U.S. intelligence, law enforcement and military officials, including the U.S. State Department; international banks such as Bank of America and JP Morgan Chase; and tech companies such as IBM and Microsoft.
Anonymous revealed email addresses, names and credit card numbers belonging to some 75,000 customers, including former U.S. Vice President Dan Quayle and former U.S. Secretary of State Henry A. Kissinger.
As Kirk points out, the credit card data is of ephemeral value to criminals. It’s the email addresses and cracked passwords that could enable malicious actors to identify some of Stratfor’s subscribers and to potentially impersonate them in cyberspace.
Young told Kirk that he’s decoded more than 160,000 Stratfor passwords, with many of the weak passwords belonging to those in organizations such as the U.S. Marine Corps, where the creation of a safe password should be well-understood and well-implemented.
Time for a reminder on how to create a safe password. In a nutshell:
- Use a minimum of eight or nine characters.
- Mix upper- and lower-case letters.
- Use numbers and/or punctuation.
- Never use the same password twice.
You can Frankenstein yourself a delightfully ungainly beast this way. An example: One of my previous passwords is Tb=0tS2!
How did I ever remember it? That nonsense string contains the first letters of a sentence in which I’ve swapped the first letter of each word for the entire word, thus foiling brute-force dictionary decryption.
There’s more to it than that, of course. Sophos’s Graham Cluley outlines the technique in this video.
(Enjoy this video? Check out more on the SophosLabs YouTube channel.)
Happy New Year. Have you made your resolutions?
How about this one: Let’s all resolve to do a hygiene check on our passwords. Remember, Anonymous is out there.
They don’t forgive, they don’t forget, and they certainly don’t refrain from spilling the beans on passwords that fall into their ever-expanding net.
Want to understand more about password hashes and how they work? Listen to this podcast where Chester Wisniewski and Paul Ducklin explain the ins and outs of password hashing.
(9 January 2011, duration 16:58 minutes, size 12.2 MBytes)