He grabbed a copy of the hash and credit card database, set up a password cracking farm, and started cracking. Here are some excerpts from the conversation we had:
Kevin: I've gone round and round stratfor a couple of times now.
Kevin: I had about 150k of the 860k then quit to focus on the CC hashes. I got most all of the CC hashes.
Blake: What percent of the CC hashes would you say you have?
Kevin: Then, I restarted about 2 months ago -- I could get an exact date if you need it -- to completely start over again on the 860k list. I wanted a better methodology and recordkeeping. That's when I figured this was publish-able research.
Blake: So you did in fact restart your cracking against the password hash database?
Blake: After restarting, how many have you cracked?
Kevin: 208,807. Now...that excludes a LOT of duplicates.
I went on to ask Kevin what the most complex password was. He gave me almost a dozen complex passwords including pass phrases. Frankly I was shocked. I knew he had been doing research and writing custom password cracking rules, but it was staggering to see what he was getting in return. Per Kevin's request, I will not post actual passwords as they are in fact passwords for REAL individuals out there however I asked permission to slightly modify passwords while still keeping the structure and he agreed. Here are some examples of cracked passwords:
You can follow Kevin, and his research on Twitter: @IT3700 or his blog: http://infoseceducation.
Disclaimer: I received permission from Kevin Young to post this and quote him. He has reviewed the content and signed off on it.