Researcher: Many Stratfor passwords are weak

The preliminary results are not terribly surprising: Many passwords are considered simple and weak

At Utah Valley University, 120 computers are now working to decode encrypted passwords revealed by the hack of Stratfor Global Intelligence, one of the most significant data breaches of last year.

After the breach occurred over Christmas, the Utah researchers launched a project to study what kind of passwords people use and if they're complex enough to thwart all but the most determined hackers.

Hackers believed to be affiliated with Anonymous released the names, email addresses, credit-card numbers and encrypted passwords of people who have registered with Stratfor, a leading think tank based in Austin, Texas.

The data dump is significant due to Stratfor's high-end clientele, including many people in the U.S. military, government organizations such as the U.S. State Department, international banks including Bank of America and JP Morgan Chase and technology giants IBM and Microsoft.

While the credit-card data, some of which was outdated, might briefly profit cybercriminals, the email addresses and encrypted passwords are far more valuable to nation-states seeking to electronically infiltrate organizations over the long term.

Since the email addresses of hundreds of thousands of people were revealed, those people can be targeted by email with malicious software, said Kevin Young, area IT director and an adjunct professor who teaches information security at Utah Valley University.

The second major threat from the Stratfor breach is how many of the passwords were quite simple and easy to decode, he said. That's dangerous, given it is likely that some people will reuse the same password over and over on systems with sensitive information.

Rather than store passwords in clear text, which is considered dangerous, Stratfor stored a cryptographic representation of victims' passwords called an MD5 hash, generally considered a wise security practice. Young set up the 120 computers in order to decode the MD5 password hashes released by the hackers.

With modest computing power and password cracking programs, many of those MD5 hashes can be decoded into their original password. The simpler and shorter the password, the faster it can be decoded.

Young said he's been able to decode upwards of 160,000 passwords from Stratfor, many in organizations such as the U.S. Marine Corps who "should know better," Young said.

The passwords will not be released by Young for ethical reasons, but will be used as part of a study of trends in how people pick passwords and how resistant those passwords are to cracking attempts.

The tools that Young is using show how important it is for people to use complex passwords, or ones with at least eight or nine characters, a mix of upper- and lower-case letters along with numbers and even punctuation.

Young is using "John the Ripper" -- a well-known cracking application that can use a regular PC, and "oclhashcat," a program designed to use the accelerated calculating speeds of graphics processors. John the Ripper produces some eight to 10 billion passwords a second, while oclhashcat, using a graphics processor, can produce up to 62 billion combinations per second, he said.

Both tools calculate a MD5 hash from a word list, of which different permutations can be defined by the person trying to crack the password. Young also used password lists from other noted data breaches including Sony (17,000 passwords), Rockyou (14 million), PHPBB (278,000) and MySpace (36,000).

Password lists are useful, since there is a good chance that people will have already picked easy ones. Stratfor's data didn't disappoint, and Young found that many of its passwords were contained on the lists from other data breaches, such as "jasper10," "swordfish" and "green101."

Young said his team has just a small budget and will probably calculate possible lower-case passwords as long as eight characters. Beyond that, more computing power is needed, as just calculating all of the possible lower-case word combinations for a 10-character word starting with "A" would consist of some 2.2 TB of data, Young said. All of the permutations of a possible password combination is known as the "word size."

Nation-states would easily have the computing muscle. Young said his 120 computers are "nothing compared to what a concentrated attack from the NSA or China or North Korea could throw at this."

Send news tips and comments to

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?