Monday, December 26, 2011

Stratfor Confidential Customer's passwords analysis.

As you may already heard, Stratfor the global security intelligence provider was compromised during christmas by AntiSec on December 24th , among their services are daily intelligence brifing about security, international affairs.
Stratfor client list was confidential and the company's publicity includes Fortune 500 companies and international goverment agencies.
The clients list is no longer confidencial since last Saturday 24th, where the AntiSec group has published the following info: Customer's names, E-mail and Passwords.

Due the nature of the services provided by Stratfor and the customers they have, I was so interested in find out how these customers, that access high value intelligence information, how good are their information security posture on passwords complexity.

The results after quick research are, as you may have guessed, interesting:

I processed a dump of 10,258 items and the drill down is as follows:





86% of the passwords are equal or less than eight characters long, taking into account that the majority of them are alphanumeric leads us to:

36^8 (english keyboard, letters + numbers)

Remember that password strength is provided by technically by the called keyspace. The keyspace is represented mathematically as X^L, where X is the number of possible characters that can be in the password and L is the length. If you do the basic analysis, you can see that changes in L are more significant, character for character, than changes in X.

Therefore with current online or basic cracking tools the 99.97% of the Stratfor's user's passwords will last, 60 seconds before being cracked.

For some other stats you are invited to check , http://www.lockdown.co.uk/?pg=combi where there is a more detailed research on the amount of time required for a computer to crack different passwords complexities.

But let's move on with some other juicy info taken from the research:

Top 30 Passwords

418

stratfor

71

123456

50

stratfor1

45

1234

39

password

28

strat4

27

1qaz2wsx

15

changeme

12

samsam

10

baseball

9

charlie

9

testing

8

abc123

8

trustno1

7

qwerty

7

research

6

21937

6

andrea

6

password1

6

qqq111

6

STRATFOR

5

12345

5

12345678

5

alex

5

dragon

5

golfer

5

london

4

111111

4

333333

4

andrew



What I find really amazing was the amount of passwords containing or being just like "stratfor" and the always time saver 123456 or abc123.



This is really interesting since, if you think about it, most people in charge of getting this type of security intelligence reports are either related with the army, government or are related somehow with the INFOSEC industry, AKA, CISOS, BISOS, CISSPs et all. Therefore is really impressive how weak their security passwords posture is, again this confirms that the weakest link in the security chain is the human factor.

Of course if you’re a Stratfor customer reading this post, I’d strongly recommend you to change your passwords if you re-using any of these credentials in other Internet services, In addition, you should expect a zillion of Phishing, Virus and Scam E-mails in the next few days, due to your E-mail has been published, among another things.

So how strong is your password?