Chris Truncer presenting at Shmoocon with an interesting analysis of the Stratfor password dump. When Strategic Forecasting Inc (Stratfor) was hacked, the Hacktivist group Anonymous released hundreds of thousands of user’s accounts, including user names, credit card numbers and hashed versions of the user’s passwords.
At the recent Shmoocon security conference, (Video above) Chris Truncer presented a short analysis on this password dump. Using oclhashcat-plus Chris was able to decode about 70% of the password hashes that were publicly released. He then analyzed the cracked passwords with the password analysis program Pipal, which searches password lists and returns several statistics, like most used passwords and character use percentages.
Though the top ten passwords used didn’t seem to match the top passwords from last year, it is interesting to note that when users received a password from Stratfor, apparently many never changed it, or worse, many changed it to something less secure.