About a week ago, I had briefly mentioned the Stratfor breach, and how they had stored credit card numbers and other data as plaintext. If you’re storing credit card data, let me tell you, you want to be using encryption software (and you never ever store CVVs — even when encrypted. That’s a PCI-DSS requirement).
Anyhow, it turns out that it wasn’t just Stratfor that was engaging in bad security practices. Its clients were also a little remiss when it came to passwords.
Utah Valley University Cracking Passwords
Researchers at Utah Valley University are using 120 computers to decode the hashed passwords that were dumped by Anonymous, obtained during the Stratfor hack (along with the credit card numbers).
Rather than store passwords in clear text…Stratfor stored a cryptographic representation of victims’ passwords called an MD5 hash, generally considered a wise security practice. Young [a researcher at UVU] set up the 120 computers in order to decode the MD5 password hashes released by the hackers… [pcworld.com]
The cracked passwords will not be revealed (no legitimate research organization would do that). However, some details were revealed:
They are able to produce from 8 billion passwords per second to 62 billon passwords per second.
They are looking at lower-case passwords that are 8 characters or less in length.
They’ve been able to decode over 160,000 passwords
Hashed but Not Salted?
How did the UVU researchers “crack” 160,000 passwords? Easy. They didn’t have to. Hashing is different from true cryptography. Under one-way hashes, a word always ends up in the same garbled string of text. This is how a zdnet.com post describes hashing:
Have you ever lost our password and asked a system administrator what it was? It’s true that system administrators often have access to the password file, but they can’t tell you your password. One-way hashing is used to encrypt passwords. This is quite an appropriate application of these algorithms. After all, the computer doesn’t really care that your password is “snookums”, it only cares that you enter precisely that every time you attempt to log in. Therefore, when you enter your password, the computer can one-way hash it and compare the result to the version in the password file.
I’ll repeat it once more: under hashing, a word always ends up garbled the same way. So, for example, if one of the passwords in the Stratfor dump was “careless”, then UVU only has to run the world “careless” through the MD5 algorithm and compare the resulting hash with the list in the Stratfor dump.
Because of this, many companies usually salt the passwords. For example, maybe they’ll add $23ltas to the end of the password and then hash it. The presence of one extra character will result in a completely different hashed outcome; using something like $23ltas does the same, but also ensures that no one figures out what the salt happens to be. Knowing the salt, again, would lead to easily figuring out the original password.
Which makes me wonder: what did the Stratfor guys use as a salt? The recovery of 160,000 passwords seems to imply that UVU either guessed it correctly….or that there wasn’t any salting going on. When you consider what type of “security” surrounded the credit card information, I’m kinda leaning on Stratfor reaching for some bland French fries, if you know what I mean.