UPDATE: Stats have been updated down below based off of my latest findings from 2/6/2012. I’ve also posted a video from my talk I gave on Stratfor and a GPU cracking method from Shmoocon Epilogue.

Ever since CarolinaCon of last year, it has become a hobby of mine to crack password hashes. When a company needs to store user passwords, the plain text password is not stored, but typically rather a hash of the password is what is actually stored. Hash cracking is the process of taking a cryptographic hash (MD5, SHA-1, SHA-2, etc.) and using multiple techniques to discover the word that was used to create the hash. Hash cracking can provide educational value because it can allow developers/security architects discover the amount of time it can take for an attacker to discover the plain text password from a hash, and adjust their hashing algorithm accordingly to ensure it is secure. Additionally, hash cracking can be used as a method of auditing passwords employed by users to ensure that they meet specific password requirements.

Hash cracking has become significantly easier to perform because of the capability to offload the processing required to crack a hash onto a GPU. GPU based cracking has significantly increased the speeds at which hashes are able to be cracked either via dictionary file word mutations or the tried and true brute force method.

So, as I’m sure many of you know, Stratfor (a company which provides independent analysis on world events/trends) was hacked over the winter holiday season. When Stratfor was hacked, the attackers were able to dump a significant portion of their database. Unfortunately, Stratfor actually used very few industry best practices when it came to securing customer data. For example, all customer credit card data was stored without being encrypted in any format. This included name, address, credit card number, expiration, and CVV code. Additionally, the attackers were able to dump other customer information such as full name, e-mail address, username, password, etc.

Since the password hashes were released and made public, I gathered them and began the process of cracking them. I did this not because I had any malicious intentions or plans to harm anyone, but because I think it’s interesting to understand how people choose passwords, and to discover any security lessons that can be uncovered via cracking a group of hashes.

Over a process of several days, I’ve been able to discover a significant amount of the passwords that were being used (which I later discarded), and here’s some notes:

Customers did not want to change the default password that was given to them. It appears that when a customer signs up, Stratfor assigns them an alphanumeric password that is 8 characters long. It is composed only of lower case characters, upper case characters, or numerical digits. Probably 70% of Stratfor’s customers did not change this password.

A other users did change their passwords, however they were unfortunately easily discovered. The passwords used were primarily dictionary based with small (if any) mutations implemented. For example, someone might have use p@ssword instead of password.

Unfortunately, there were users who changed their password from the 8 character alphanumeric password down to a single letter.

After I was able to crack a portion of the hashes, I ran a tool against the passwords that were found called Pipal. Pipal is a great tool that is capable of analyzing passwords in a list and producing useful statistics about the discovered passwords for the researcher to discover trends that might be in use. The following excerpts are some statistics that have been found after running Pipal on the passwords I have cracked so far:

Total entries = 815147 Total unique entries = 701257 Top 10 passwords David = 4 (0.0%) 22 = 4 (0.0%) bill = 4 (0.0%) John3 = 4 (0.0%) Brendan1 = 4 (0.0%) Patches1 = 4 (0.0%) Christina = 4 (0.0%) Romans8 = 3 (0.0%) Romans1 = 3 (0.0%) Joseph = 3 (0.0%) Top 10 base words stratfor = 347 (0.04%) strat = 201 (0.02%) password = 137 (0.02%) intel = 118 (0.01%) mike = 116 (0.01%) alex = 112 (0.01%) john = 107 (0.01%) blue = 100 (0.01%) ranger = 89 (0.01%) qwerty = 87 (0.01%) Password length (length ordered) 1 = 51 (0.01%) 2 = 72 (0.01%) 3 = 395 (0.05%) 4 = 4619 (0.57%) 5 = 5943 (0.73%) 6 = 48052 (5.89%) 7 = 35238 (4.32%) 8 = 682603 (83.74%) 9 = 19870 (2.44%) 10 = 10817 (1.33%) 11 = 4172 (0.51%) 12 = 2041 (0.25%) 13 = 648 (0.08%) 14 = 410 (0.05%) 15 = 231 (0.03%) Password length (count ordered) 8 = 682603 (83.74%) 6 = 48052 (5.89%) 7 = 35238 (4.32%) 9 = 19870 (2.44%) 10 = 10817 (1.33%) 5 = 5943 (0.73%) 4 = 4619 (0.57%) 11 = 4172 (0.51%) 12 = 2041 (0.25%) 13 = 648 (0.08%) 14 = 410 (0.05%) 3 = 395 (0.05%) 15 = 231 (0.03%) 2 = 72 (0.01%) 1 = 51 (0.01%) | | | | | | | | | | | | | | | | |||||||||||||||| 0000000000111111 0123456789012345 One to six characters = 59126 (7.25%) One to eight characters = 776965 (95.32%) More than eight characters = 38182 (4.68%) Only lowercase alpha = 59099 (7.25%) Only uppercase alpha = 2119 (0.26%) Only alpha = 61218 (7.51%) Only numeric = 14019 (1.72%) First capital last symbol = 3162 (0.39%) First capital last number = 53073 (6.51%) Months january = 23 (0.0%) february = 4 (0.0%) march = 69 (0.01%) april = 80 (0.01%) may = 401 (0.05%) june = 107 (0.01%) july = 91 (0.01%) august = 56 (0.01%) september = 15 (0.0%) october = 30 (0.0%) november = 17 (0.0%) december = 22 (0.0%) Days monday = 24 (0.0%) tuesday = 5 (0.0%) wednesday = 4 (0.0%) thursday = 2 (0.0%) friday = 33 (0.0%) saturday = 4 (0.0%) sunday = 13 (0.0%) Months (Abreviated) jan = 613 (0.08%) feb = 204 (0.03%) mar = 2291 (0.28%) apr = 327 (0.04%) may = 401 (0.05%) jun = 426 (0.05%) jul = 362 (0.04%) aug = 314 (0.04%) sept = 63 (0.01%) oct = 243 (0.03%) nov = 273 (0.03%) dec = 323 (0.04%) Days (Abreviated) mon = 1125 (0.14%) tues = 6 (0.0%) wed = 233 (0.03%) thurs = 8 (0.0%) fri = 328 (0.04%) sat = 354 (0.04%) sun = 518 (0.06%) Includes years 1975 = 122 (0.01%) 1976 = 105 (0.01%) 1977 = 106 (0.01%) 1978 = 105 (0.01%) 1979 = 88 (0.01%) 1980 = 106 (0.01%) 1981 = 127 (0.02%) 1982 = 131 (0.02%) 1983 = 111 (0.01%) 1984 = 153 (0.02%) 1985 = 129 (0.02%) 1986 = 102 (0.01%) 1987 = 96 (0.01%) 1988 = 113 (0.01%) 1989 = 75 (0.01%) 1990 = 90 (0.01%) 1991 = 77 (0.01%) 1992 = 68 (0.01%) 1993 = 55 (0.01%) 1994 = 39 (0.0%) 1995 = 72 (0.01%) 1996 = 60 (0.01%) 1997 = 69 (0.01%) 1998 = 62 (0.01%) 1999 = 89 (0.01%) 2000 = 368 (0.05%) 2001 = 219 (0.03%) 2002 = 150 (0.02%) 2003 = 140 (0.02%) 2004 = 166 (0.02%) 2005 = 207 (0.03%) 2006 = 199 (0.02%) 2007 = 197 (0.02%) 2008 = 234 (0.03%) 2009 = 343 (0.04%) 2010 = 464 (0.06%) 2011 = 336 (0.04%) 2012 = 67 (0.01%) 2013 = 17 (0.0%) 2014 = 20 (0.0%) 2015 = 13 (0.0%) 2016 = 23 (0.0%) 2017 = 16 (0.0%) 2018 = 10 (0.0%) 2019 = 23 (0.0%) 2020 = 70 (0.01%) Years (Top 10) 2010 = 464 (0.06%) 2000 = 368 (0.05%) 2009 = 343 (0.04%) 2011 = 336 (0.04%) 2008 = 234 (0.03%) 2001 = 219 (0.03%) 2005 = 207 (0.03%) 2006 = 199 (0.02%) 2007 = 197 (0.02%) 2004 = 166 (0.02%) Single digit on the end = 94421 (11.58%) Two digits on the end = 39271 (4.82%) Three digits on the end = 12636 (1.55%) Last number 0 = 9243 (1.13%) 1 = 23350 (2.86%) 2 = 21082 (2.59%) 3 = 21283 (2.61%) 4 = 17841 (2.19%) 5 = 18162 (2.23%) 6 = 17410 (2.14%) 7 = 18677 (2.29%) 8 = 17503 (2.15%) 9 = 18617 (2.28%) | ||| ||| ||||| | | ||||||||| ||||||||| ||||||||| ||||||||| ||||||||| |||||||||| |||||||||| |||||||||| |||||||||| |||||||||| |||||||||| |||||||||| 0123456789 Last digit 1 = 23350 (2.86%) 3 = 21283 (2.61%) 2 = 21082 (2.59%) 7 = 18677 (2.29%) 9 = 18617 (2.28%) 5 = 18162 (2.23%) 4 = 17841 (2.19%) 8 = 17503 (2.15%) 6 = 17410 (2.14%) 0 = 9243 (1.13%) Last 2 digits (Top 10) 23 = 3833 (0.47%) 11 = 3086 (0.38%) 01 = 3064 (0.38%) 12 = 2413 (0.3%) 00 = 2371 (0.29%) 10 = 1859 (0.23%) 99 = 1802 (0.22%) 77 = 1540 (0.19%) 22 = 1478 (0.18%) 34 = 1400 (0.17%) Last 3 digits (Top 10) 123 = 2798 (0.34%) 000 = 753 (0.09%) 234 = 748 (0.09%) 007 = 612 (0.08%) 111 = 573 (0.07%) 001 = 532 (0.07%) 010 = 461 (0.06%) 777 = 404 (0.05%) 009 = 358 (0.04%) 999 = 332 (0.04%) Last 4 digits (Top 10) 1234 = 669 (0.08%) 2010 = 366 (0.04%) 2000 = 323 (0.04%) 2009 = 305 (0.04%) 2011 = 257 (0.03%) 2008 = 196 (0.02%) 2001 = 181 (0.02%) 2345 = 179 (0.02%) 2005 = 173 (0.02%) 2006 = 172 (0.02%) Last 5 digits (Top 10) 12345 = 162 (0.02%) 23456 = 84 (0.01%) 54321 = 37 (0.0%) 00000 = 31 (0.0%) 11111 = 26 (0.0%) 99999 = 17 (0.0%) 77777 = 16 (0.0%) 33333 = 16 (0.0%) 45678 = 15 (0.0%) 20000 = 14 (0.0%) Character sets mixedalphanum: 438261 (53.76%) mixedalpha: 192042 (23.56%) loweralphanum: 90324 (11.08%) loweralpha: 59099 (7.25%) numeric: 14019 (1.72%) upperalphanum: 9986 (1.23%) mixedalphaspecialnum: 6362 (0.78%) upperalpha: 2119 (0.26%) loweralphaspecialnum: 1427 (0.18%) loweralphaspecial: 947 (0.12%) mixedalphaspecial: 265 (0.03%) specialnum: 116 (0.01%) upperalphaspecialnum: 50 (0.01%) special: 24 (0.0%) upperalphaspecial: 22 (0.0%) Character set ordering allstring: 253260 (31.07%) stringdigitstring: 221613 (27.19%) othermask: 156529 (19.2%) stringdigit: 112163 (13.76%) digitstring: 45284 (5.56%) alldigit: 14019 (1.72%) digitstringdigit: 9106 (1.12%) stringspecialdigit: 2254 (0.28%) stringspecial: 440 (0.05%) stringspecialstring: 329 (0.04%) specialstring: 80 (0.01%) specialstringspecial: 46 (0.01%) allspecial: 24 (0.0%) Hashcat masks (Top 10) ?l?l?l?l?l?l: 18062 (2.22%) ?l?l?l?l?l?l?l?l: 14903 (1.83%) ?l?l?l?l?l?l?l: 10863 (1.33%) ?l?l?l?l?l?l?d?d: 9241 (1.13%) ?d?d?d?d?d?d: 6106 (0.75%) ?l?l?l?l?d?d?d?d: 5063 (0.62%) ?l?l?l?l?l?l?l?l?l: 5063 (0.62%) ?l?l?l?l?l?l?l?d: 4549 (0.56%) ?l?l?l?l?l?d?d: 3868 (0.47%) ?l?l?l?l?l?d: 3846 (0.47%)