TL; DR: It seems that well over three-quarters of all the breached accounts were created but never used.
By now it's been widely reported that around Christmas time 2011, Stratfor suffered a significant breach. The company provides "an audience of decision-makers and sophisticated news consumers in the U.S. and around the world with unique insights into political, economic, and military developments." Disclosed data includes over 800K records, containing usernames, e-mail addresses, password hashes, physical addresses, and in numerous cases credit card account numbers, shockingly including CVV data.
By now it's been widely reported that around Christmas time 2011, Stratfor suffered a significant breach. The company provides "an audience of decision-makers and sophisticated news consumers in the U.S. and around the world with unique insights into political, economic, and military developments." Disclosed data includes over 800K records, containing usernames, e-mail addresses, password hashes, physical addresses, and in numerous cases credit card account numbers, shockingly including CVV data.
A hash is the result of processing data (like a password) with a specific type of algorithm, called a one way function. These functions are designed such that output cannot be used to derive the input. Some hashing functions are more effective at this than others, but that isn't the point of this article. Several articles analyzing the password hashes have been published already, complaining about the collectively poor password practices of end users. Generally speaking, they are correct. The Tech Herald article in particular discusses using hashCat and CPU based cracking to recover roughly 80,000 plaintext passwords after about 4 hours of tinkering on account of these weak passwords.
Top 10 Passwords |
The resulting data is interesting, as it's not very often that we get the chance to look at over 700K passwords from a single source.
Probably the surprising and under-reported insight we found is that a majority (about 630K) of the passwords we recovered appear to be randomly generated by the Stratfor site at registration time. These passwords all have a very specific set of characteristics. They are eight characters long. They consist of uppercase and lowercase letters, and digits ('mixedalphanum'). With a mid-range dual GPU machine, we were able to test and recover all passwords for that entire character set and length in just over 24 hours.
So what does this tell us? It's likely that during enrollment, the system generates a password automatically, and e-mails it to the user. Normally users are required to change the randomly generated password on subsequent logins. So it seems that well over three-quarters of all the breached accounts were created but never used. It's possible that Stratfor auto-generated a password and didn't require a change on next login, but based on our discussions with users exposed by the breach it appears that this was not the case
Password analysis tools identify other patterns as well, such as the most common 'base word', or common digit patterns. Many passwords start or end with digits to pad them out to meet password length requirements. In the context of all of the random generated passwords, the numbers are very insignificant. Patterns found have less than .25% commonality among the whole set.
So this begs the question: When there are GPU's at our disposal which make intelligent password guessing and checking easy to do, at a very rapid pace, what is a good password?
A very long one. How long? As long as the storage mechanism supports. If you have to look it up everytime, what does it matter, how long it is? It should be randomly generated, and contain as many unique characters as feasible (again, per the constraints of the password policy). Most importantly, it should be unique for that one application. Should it become compromised, it won't put your other accounts at risk. Open source password utilities (like KeePass or PasswordSafe) can be used to generate and securely store passwords. Using strong passwords and securely storing them doesn't protect against keylogging, and if an attacker has deployed a keylogger to your system, they probably have access to your filesystem as well.
For the curious, we ran the resulting Stratfor dictionary through a password analysis tool called Pipal.
Total entries = 750940Total unique entries = 713984
Top 10 passwords
stratfor = 12023 (1.6%)
123456 = 625 (0.08%)
0000 = 519 (0.07%)
password = 517 (0.07%)
stratfor1 = 426 (0.06%)
changeme = 265 (0.04%)
strat4 = 265 (0.04%)
1qaz2wsx = 232 (0.03%)
1234 = 228 (0.03%)
wright = 179 (0.02%)
Top 10 base words
stratfor = 13562 (1.81%)
password = 775 (0.1%)
strat = 498 (0.07%)
changeme = 273 (0.04%)
qaz2wsx = 254 (0.03%)
wright = 188 (0.03%)
qwerty = 182 (0.02%)
usmcportal = 148 (0.02%)
intel = 133 (0.02%)
ranger = 127 (0.02%)
Password length (length ordered)
1 = 47 (0.01%)
2 = 41 (0.01%)
3 = 266 (0.04%)
4 = 3735 (0.5%)
5 = 4198 (0.56%)
6 = 32676 (4.35%)
7 = 28599 (3.81%)
8 = 648267 (86.33%)
9 = 16592 (2.21%)
10 = 9819 (1.31%)
11 = 3568 (0.48%)
12 = 2016 (0.27%)
13 = 609 (0.08%)
14 = 359 (0.05%)
15 = 163 (0.02%)
Password length (count ordered)
8 = 648267 (86.33%)
6 = 32676 (4.35%)
7 = 28599 (3.81%)
9 = 16592 (2.21%)
10 = 9819 (1.31%)
5 = 4198 (0.56%)
4 = 3735 (0.5%)
11 = 3568 (0.48%)
12 = 2016 (0.27%)
13 = 609 (0.08%)
14 = 359 (0.05%)
3 = 266 (0.04%)
15 = 163 (0.02%)
1 = 47 (0.01%)
2 = 41 (0.01%)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||||
0000000000111111
0123456789012345
One to six characters = 40957 (5.45%)
One to eight characters = 717821 (95.59%)
More than eight characters = 33119 (4.41%)
Only lowercase alpha = 62342 (8.3%)
Only uppercase alpha = 1482 (0.2%)
Only alpha = 63824 (8.5%)
Only numeric = 9959 (1.33%)
First capital last symbol = 3333 (0.44%)
First capital last number = 50259 (6.69%)
Months
january = 18 (0.0%)
february = 4 (0.0%)
march = 40 (0.01%)
april = 42 (0.01%)
may = 309 (0.04%)
june = 71 (0.01%)
july = 57 (0.01%)
august = 39 (0.01%)
september = 14 (0.0%)
october = 30 (0.0%)
november = 13 (0.0%)
december = 14 (0.0%)
Daysmonday = 20 (0.0%)
tuesday = 7 (0.0%)
wednesday = 2 (0.0%)
thursday = 4 (0.0%)
friday = 34 (0.0%)
saturday = 2 (0.0%)
sunday = 8 (0.0%)
Months (Abreviated)
jan = 450 (0.06%)
feb = 169 (0.02%)
mar = 1794 (0.24%)
apr = 255 (0.03%)
may = 309 (0.04%)
jun = 360 (0.05%)
jul = 274 (0.04%)
aug = 249 (0.03%)
sept = 42 (0.01%)
oct = 208 (0.03%)
nov = 209 (0.03%)
dec = 240 (0.03%)
Days (Abreviated)mon = 958 (0.13%)
tues = 8 (0.0%)
wed = 199 (0.03%)
thurs = 9 (0.0%)
fri = 274 (0.04%)
sat = 319 (0.04%)
sun = 457 (0.06%)
Includes years
1975 = 76 (0.01%)
1976 = 63 (0.01%)
1977 = 61 (0.01%)
1978 = 66 (0.01%)
1979 = 63 (0.01%)
1980 = 68 (0.01%)
1981 = 78 (0.01%)
1982 = 88 (0.01%)
1983 = 67 (0.01%)
1984 = 96 (0.01%)
1985 = 79 (0.01%)
1986 = 68 (0.01%)
1987 = 56 (0.01%)
1988 = 68 (0.01%)
1989 = 47 (0.01%)
1990 = 52 (0.01%)
1991 = 50 (0.01%)
1992 = 40 (0.01%)
1993 = 36 (0.0%)
1994 = 24 (0.0%)
1995 = 46 (0.01%)
1996 = 40 (0.01%)
1997 = 42 (0.01%)
1998 = 40 (0.01%)
1999 = 53 (0.01%)
2000 = 240 (0.03%)
2001 = 137 (0.02%)
2002 = 107 (0.01%)
2003 = 97 (0.01%)
2004 = 115 (0.02%)
2005 = 138 (0.02%)
2006 = 141 (0.02%)
2007 = 150 (0.02%)
2008 = 157 (0.02%)
2009 = 252 (0.03%)
2010 = 365 (0.05%)
2011 = 290 (0.04%)
2012 = 46 (0.01%)
2013 = 13 (0.0%)
2014 = 15 (0.0%)
2015 = 9 (0.0%)
2016 = 14 (0.0%)
2017 = 10 (0.0%)
2018 = 5 (0.0%)
2019 = 14 (0.0%)
2020 = 56 (0.01%)
Years (Top 10)
2010 = 365 (0.05%)
2011 = 290 (0.04%)
2009 = 252 (0.03%)
2000 = 240 (0.03%)
2008 = 157 (0.02%)
2007 = 150 (0.02%)
2006 = 141 (0.02%)
2005 = 138 (0.02%)
2001 = 137 (0.02%)
2004 = 115 (0.02%)
Single digit on the end = 87780 (11.69%)
Two digits on the end = 28409 (3.78%)
Three digits on the end = 9033 (1.2%)
Last number
0 = 6778 (0.9%)
1 = 16724 (2.23%)
2 = 17527 (2.33%)
3 = 18068 (2.41%)
4 = 15993 (2.13%)
5 = 15746 (2.1%)
6 = 15759 (2.1%)
7 = 15946 (2.12%)
8 = 15143 (2.02%)
9 = 16036 (2.14%)
||
|||| | |
|||||||||
|||||||||
|||||||||
|||||||||
|||||||||
|||||||||
|||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
0123456789
Last digit
3 = 18068 (2.41%)
2 = 17527 (2.33%)
1 = 16724 (2.23%)
9 = 16036 (2.14%)
4 = 15993 (2.13%)
7 = 15946 (2.12%)
6 = 15759 (2.1%)
5 = 15746 (2.1%)
8 = 15143 (2.02%)
0 = 6778 (0.9%)
Last 2 digits (Top 10)
23 = 2888 (0.38%)
11 = 2143 (0.29%)
00 = 2023 (0.27%)
01 = 1999 (0.27%)
12 = 1582 (0.21%)
10 = 1347 (0.18%)
34 = 1335 (0.18%)
56 = 1276 (0.17%)
99 = 1200 (0.16%)
77 = 1076 (0.14%)
Last 3 digits (Top 10)
123 = 2113 (0.28%)
000 = 995 (0.13%)
234 = 838 (0.11%)
456 = 746 (0.1%)
111 = 448 (0.06%)
007 = 432 (0.06%)
010 = 357 (0.05%)
001 = 322 (0.04%)
777 = 292 (0.04%)
011 = 284 (0.04%)
Last 4 digits (Top 10)
1234 = 791 (0.11%)
3456 = 687 (0.09%)
0000 = 606 (0.08%)
2010 = 283 (0.04%)
2011 = 240 (0.03%)
2009 = 220 (0.03%)
2000 = 210 (0.03%)
2345 = 191 (0.03%)
1111 = 146 (0.02%)
2007 = 130 (0.02%)
Last 5 digits (Top 10)
23456 = 682 (0.09%)
12345 = 181 (0.02%)
45678 = 84 (0.01%)
11111 = 69 (0.01%)
54321 = 52 (0.01%)
77777 = 47 (0.01%)
34567 = 38 (0.01%)
00000 = 34 (0.0%)
56789 = 34 (0.0%)
31313 = 29 (0.0%)
Character sets
mixedalphanum: 415810 (55.37%)
mixedalpha: 179778 (23.94%)
loweralpha: 62342 (8.3%)
loweralphanum: 61633 (8.21%)
upperalphanum: 10973 (1.46%)
numeric: 9959 (1.33%)
mixedalphaspecialnum: 6507 (0.87%)
upperalpha: 1482 (0.2%)
loweralphaspecialnum: 1343 (0.18%)
loweralphaspecial: 709 (0.09%)
mixedalphaspecial: 188 (0.03%)
upperalphaspecialnum: 65 (0.01%)
specialnum: 64 (0.01%)
upperalphaspecial: 12 (0.0%)
special: 12 (0.0%)
Character set ordering
allstring: 243602 (32.44%)
stringdigitstring: 207513 (27.63%)
othermask: 150645 (20.06%)
stringdigit: 88585 (11.8%)
digitstring: 39717 (5.29%)
alldigit: 9959 (1.33%)
digitstringdigit: 8209 (1.09%)
stringspecialdigit: 2042 (0.27%)
stringspecial: 296 (0.04%)
stringspecialstring: 277 (0.04%)
specialstring: 52 (0.01%)
specialstringspecial: 31 (0.0%)
allspecial: 12 (0.0%)
Hashcat masks (Top 10)
?l?l?l?l?l?l?l?l: 24525 (3.27%)
?l?l?l?l?l?l: 14922 (1.99%)
?l?l?l?l?l?l?l: 9925 (1.32%)
?l?l?l?l?l?l?d?d: 5381 (0.72%)
?l?l?l?l?l?l?l?l?l: 4312 (0.57%)
?d?d?d?d?d?d: 4180 (0.56%)
?u?u?d?d?d?d?d: 4018 (0.54%)
?l?l?l?l?l?l?l?d: 3207 (0.43%)
?l?l?l?l?d?d?d?d: 3074 (0.41%)
?l?l?l?l?l: 2917 (0.39%)
The main list of passwords, the "majority" you talk of, was for the free Stratfor mailing list that you subscribe to on their website. The remainder will have been paying Stratfor subscribers.
ReplyDeleteUnless you changed your subscription info for their free mailing list, there was no need ever for the password/to login. If you bought a book or a subscription, I believe that Stratfor would require you to login at that point.