Apparently my ruminations, yesterday, on Stratfor not salting their passwords were not mere speculation. I kind of had doubts because I couldn’t imagine a company in this day and age not salting their password hashes (it’d be like using the password as the key to drive encryption — a bad and discouraged practice).
Then, I ran across this entry at troyhunt.com.
Update (11 JAN 2012): Stratfor’s website is back up, and according to thewashingtonpost.com, the CEO has admitted that the company didn’t encrypt customer information.
“Saltless Password Hashes are a Thin Veneer of Security”
Troy Hunt, who covered the Stratfor situation way ahead of me, notes that
We now know that customer passwords were stored as direct MD5 hashes; there was no use of salts. According to the Pastebin release [link removed], 54% of the accounts were easily cracked using a dictionary attack with the UNIQPAS password list. Once you have 30 million real world passwords, hashing and comparing these to a breached database becomes a pretty straightforward event.
I searched the Pastebin site, and it looks like only the third and last posting of the passwords still remains as of today.
According to a notice at the top of the list of email addresses and passwords,
# These are 28517 of 53281 (54%) passwords from the list of STRATFOR customer accounts cracked
# with dictionary attack using wordlist from UNIQPASS – http://dazzlepod.com/uniqpass/
# The complete list of leaked accounts can be found at http://dazzlepod.com/stratfor/
I take this to mean that out of 53,281 password cracks attempted 28,517 were successful. According to online sources, approximately 860,000 passwords were released, so the information in Pastebin represents about 6% of the total data.
“stratfor” Pretty Popular as Password
While there may have been 28,517 separate listings, the final page only had 4,778. As I scanned the list, I kept seeing the word “stratfor” show up. Out of curiosity, I did a search and found that “stratfor” was used as a password by 198 of the 4,778 entries.
That’s 4% of clients using the name of the company as their password(actually, I made a mistake here. I should have calculated it out of a total sample size of 53,281, which makes it 0.37%). Of the 198,
stratfor – 179 occurrences
Stratfor – 2
STRATFOR – 3
Another 14 differed by adding extra letters or numbers (which I should probably not count towards “stratfor”…but, honestly, adding an extra number is not really much more secure)
Now, compare it to Gawker’s massive data breach from 12 months ago. In that particular breach, approximately 1.3 million passwords were obtained by hackers. Of those, “gawker” is used as a password in 225 instances. Two hundred twenty-five instances out of 1.3 million vs. 179 instances out of 53, 281 (179, since I have to compare apples with apples).
Of course, this comparison is not entirely fair since I should be comparing Gawker’s 1.3 million vs. Stratfor’s 860,000. But, we’ve also got to assume that there are more instances of “stratfor” showing up as a password in the approximately 800,000 remaining passwords where hacks were not attempted. I wouldn’t be surprised if the figures don’t quintuple from 179 (at least).
Yesterday, I had noted that Stratfor’s clients use weak passwords. My findings today are not entirely surprising…and, yet, they are.