The attack on Stratfor by Anonymous over the Christmas period raised plenty of eyebrows at the tenacity of the hacktivists and its ongoing capabilities.
However, another story emerged subsequently: that the strength of the passwords used were pretty weak. In fact, this is the same old story that we have heard again and again: users used the same basic, weak password for several sites and applications and were not made aware of the need for a strong password.
According to IDG, passwords are being decrypted at Utah Valley University to study what kind of passwords people use, and whether or not they are complex enough to thwart all but the most determined hackers.
Rather than storing passwords in clear text, Stratfor stored a cryptographic representation of victims' passwords in an MD5 hash, which is currently being decoded.
Using the ‘John the Ripper' cracking application and ‘oclhashcat' program that is designed to use the accelerated calculating speeds of graphics processors, both tools calculate a MD5 hash from a word list, of which different permutations can be defined by the person trying to crack the password.
Password lists from other noted data breaches including Sony (17,000 passwords), Rockyou (14 million), PHPBB (278,000) and MySpace (36,000) were compared; the findings were that many passwords had been used and were continued to be used despite being among breached data.
Steve Watts, co-founder of SecurEnvoy, said this proves that the human element in security is now the weakest link. “Put simply, they really should have known better, as the user list of the hacked accounts reportedly included US military personnel, IT staff at the Bank of America and JP Morgan, as well as IT professionals with IBM and Microsoft,” he said.
“If these professionals cannot get their password security sorted, then what hope is there for the rest of the internet user community? This revealing analysis proves our mantra that conventional passwords are dead in the water on the security front – especially with powerful password-crunching technology so readily available.”
An examination by the Tech Herald of 860,160 password hashes said the results were "both expected and pitiful", adding: ‘We're sorry to report that the state of password management and creation is still living in the Dark Ages."
It also did a password sift; among its interesting findings were statistics on the amount of characters in a typical password. It found that 23,440 passwords had six characters, 1,411 had 11 and 82 had 14.
At the other end of the scale, 343 had three characters, 53 had two characters and 49 used just one character. Its analysis also found that trivial passwords such as 123456, 11111111 and 123123 were common among Stratfor customers.
I caught up with Stephen Howes, former CTO of pattern-based authentication technology vendor GrIDsure, which was acquired by Cryptocard last year, who commented that at the start of the New Year, we still see the same old problem with the use of passwords.
He said: “It seems that wherever you go and whatever you do nowadays, you are required to use a PIN or password, and if you do anything over the phone, you are asked to answer a so-called ‘security question' such as your mother's maiden name or place of birth to confirm your identity. In short, we the public are being overloaded by the need for security, but the more we use these ‘secrets', the less secret and weaker they become.”
Howes claimed that the Stratfor attacks show how the concept of using strong passwords consisting of both upper and lower case letters and numbers and other symbols is flawed, as many of the published decrypted passwords are such ‘strong passwords' nevertheless compromised by increasingly sophisticated cracking software.
“What can we do about it? The password is not likely to go away any time soon and they provide reasonable security in low-risk situations. Despite this, people should choose sensible passwords, and organisations have a duty of care to hold this data using strong encryption and should keep this data separate from other obviously identifiable personal information, thereby making the job of the bad guy as difficult as possible,” he said.
Howes suggested that perhaps a new approach is required to force a change in the industry, with the general public needing to tell organisations that they are not satisfied with the way they are securing information and that they will take their business elsewhere. “If we all started to do this then I suspect that organisations will start to take security a little more seriously,” he said.
The argument around password security could, and probably will, go on forever. There is no simple solution to the human factor in security and, as Howes points out, in this case there was a lot of use of ‘strong passwords' with a combination of numbers and upper and lowercase letters, so solving that is not easy.
However, the bigger challenge that has been highlighted by this is that people re-use passwords over and over, and perhaps the next hurdle should be to encourage them to use more passwords for security. Quite how that is expected to succeed is anyone's guess.