Friday, March 30, 2012

Utah County Researcher Cracks Stratfor Passwords

In an earlier blog post, I talked about the hack against Stratfor, whose user password hashes, credit card hashes, and e-mail were leaked to the public.  One might ask what happens to those databases once they are leaked? Kevin Young, a fellow Utah County Security Researcher and friend, decided to make a research project out of the leak. 

He grabbed a copy of the hash and credit card database, set up a password cracking farm, and started cracking.  Here are some excerpts from the conversation we had:

Kevin: I've gone round and round stratfor a couple of times now.

Kevin: I had about 150k of the 860k then quit to focus on the CC hashes. I got most all of the CC hashes.

Blake: What percent of the CC hashes would you say you have?

Kevin: 90%+

Kevin: Then, I restarted about 2 months ago -- I could get an exact date if you need it -- to completely start over again on the 860k list. I wanted a better methodology and recordkeeping. That's when I figured this was publish-able research.

Blake: So you did in fact restart your cracking against the password hash database?

Kevin: Yes

Blake: After restarting, how many have you cracked?

Kevin: 208,807.  Now...that excludes a LOT of duplicates.

I went on to ask Kevin what the most complex password was.  He gave me almost a dozen complex passwords including pass phrases.  Frankly I was shocked.  I knew he had been doing research and writing custom password cracking rules, but it was staggering to see what he was getting in return.  Per Kevin's request, I will not post actual passwords as they are in fact passwords for REAL individuals out there however I asked permission to slightly modify passwords while still keeping the structure and he agreed.  Here are some examples of cracked passwords:




Go Gators!

You can follow Kevin, and his research on Twitter: @IT3700    or his blog:

Disclaimer: I received permission from Kevin Young to post this and quote him.  He has reviewed the content and signed off on it.

No comments:

Post a Comment