While users need to select stronger passwords to access online services, enterprises also need to enforce strong security policies for the Websites and applications.
Stratfor continues rebuilding its Website after the cyber-attack in which email
addresses of its subscribers and other personal details were leaked, the
company is coming under fire for its weak passwords and security policies.
breached Strategic Forecasting and stole over 200GB of data belonging to
individuals and organizations who registered to have access to its publications
for global intelligence analysis on Dec. 24. More than 860,000 password hashes
from the registration database has been dumped since.
Tech Herald analyzed the leaked files and was able to crack 81,883 password
hashes in less than 5 hours using common brute-force tools and basic equipment.
system doing the cracking isn't the most powerful on the block, but it does the
job nicely," Tech Herald's Steve Ragan wrote. The password lists were
cracked using a free CPU-based hash-cracker called Hashcat and various dictionary
lists available online.
a group of lists containing common passwords, names of people in Congress,
words from the King James Bible, various computer jargon and programming
phrases, previously dumped lists from Gawker and other sites, and other lists,
Hashcat was able to crack 25,690 passwords. A more extensive list that used
words and phrases from various languages as well as common three- and four-character
passwords, among others, yielded 21,933 additionally cracked hashes. It took
Hashcat less than an hour to crack over 47,000 password hashes, according to
was "nothing original" about the techniques used by The Tech Herald
to try to crack the password hashes and "most likely very similar to what
the bad guys will use," Rick Wanner, a technical analyst at SaskTel, wrote
on the SANS Institute's Internet Storm
Center blog. The analysis highlighted the weakness of relying on passwords,
weakest link in security is the user," Wanner said, noting that there
needs to be user education in good password creation and management.
list of cracked passwords showed a high degree of passwords that used
birthdates, names of family members or something with a personal reference
(such as "ford1996"). Unlike "throwaway" passwords, such as
"123456" and "qwerty," these personal passwords are more
likely to be reused on other sites because they are easier for the user to
reuse of passwords across multiple accounts is a well-recognized phenomenon,
according to Jay
Heiser, a research vice president at Gartner. It is increasingly difficult
for users to remember complex passwords because of the growing number of
applications that require them and frequent changes.
of telling users not to write down their passwords, ask them to treat passwords
as carefully as they treat their own money," he said.
enterprises can't reliably track whether users are reusing passwords from their
personal accounts on corporate applications, they should ensure all the
corporate passwords are strong and unique and require regular password changes
to avoid reusing passwords, Heiser said.
companies and government agencies they represent are generally part of the intelligence
community and should be considered fairly savvy about authentication.
"Given the professional profile of the people using the Stratfor website I
find it disheartening to see that many were using simple and easy to guess
passwords," security consultant Brian Honan wrote in the SANS Institute's
policy recommends users select passwords that are six characters, with at least
one number. However, Stratfor clearly did not enforce the recommendation, as
the Herald found a handful of users who had selected a single character as
Stratfor incident should be a "reminder" to revisit the password
complexity and update frequency policy, said Cameron Camp, a security
researcher at ESET.
to a scam alert published Dec. 29 by the Internet Crime Complaint
Center, the 25 most common passwords are still weak and generally aren't
mixed case or using a combination of numbers and letters. The alert was based
on data compiled from law enforcement sources and user complaints submitted to
IC3. "Users have prioritized convenience over security when establishing
passwords," IC3 wrote, noting that people are creating passwords that are
easier to remember and freely sharing passwords with others.
Website has been down since the attack as the team rebuilds the site and
deploys security measures.
are currently investigating this unfortunate event and are working diligently
to prevent it from ever happening again. As a result, we have delayed restoring
our website until we can perform a thorough security review," Stratfor
told eWEEK in an email.