Analysis of the Stratfor Password List

Published: 2012-01-03
Last Updated: 2012-01-03 02:50:05 UTC
by Rick Wanner (Version: 1)
11 comment(s)

As reported at the on Christmas Day by Deb Hale, Stratfor had personal data of its customers compromised, including a list of 860,000 passwords hashes. Today Steve Ragan over at published an analysis of the password list.   There is nothing original about the methodology used.  It is very similar to what Marc Hofman described in his diary from late 2010 on measuring password security and most likely very similar to what the bad guys will use. Unfortunately Steve Ragan's analysis shows how poor Stratfor's password policy was, and how poor the passwords were in general. Nearly 10% of the passwords succumbed to cracking in under 5 hours. More importantly, this analysis reiterates the weakness of passwords in general, and the general failure of user education in good password creation and management, highlighting that the weakest link in security is the user.

It is clear that we need to continue to work on educating the users. The minimum we need to instil on our users is:

  • reiterate good password creation and management processes
  • discourage password reuse
  • promote the use of tools like Password Safe or Keepass

It may be a difficult battle, but lets try and win it one user at a time!

-- Rick Wanner - rwanner at isc dot sans dot org - - Twitter:namedeplume (Protected)

11 comment(s)
Diary Archives