Analysis of Forbes Passwords Dumped by the SEA

SEA Forbes

Recently the Syrian Electronic Army (SEA) hacked the news site Forbes and publicly dumped more than a million records from their WordPress site. As usual we will take a look at this dump with the analysis program “Pipal”.

This password dump was a little different than the ones that we have seen in the past. As explained on Sophos’ Naked Security site, the passwords were stored encrypted in the PHPass Portable format as seen below:

You can see from this example picture from Sophos that the passwords are stored in an encrypted hash, and that each account also includes what is called a “salt”.

The hashes that we have looked at in the pass didn’t have a salt – Basically a random number used when creating the hash to make sure each hash is unique.

This makes decrypting the passwords a lot more time consuming, as before all we needed to do was crack the hash and we would be able to crack other hashes that used the same password very quickly.

Not so with a salted password, each password will be unique, so we have to crack each and everyone individually.

So, to attempt to crack the entire million plus password hashes would have taken something like 10 years. So, for time, and sanity sake, I pulled about 20,000 hashes randomly from throughout the dump.

It still took several hours to work through this list.

As I have seen cracking speeds in the thousands per minute when cracking non-salted hashes, this time it averaged about 15 per minute!

So, without further ado, here are some of the results:

Top 25 passwords

millenium = 761 (4.32%)
123456 = 597 (3.39%)
password = 351 (1.99%)
q1w2e3r4 = 266 (1.51%)
123456789 = 142 (0.81%)
abc123 = 97 (0.55%)
12345678 = 92 (0.52%)
qwerty = 91 (0.52%)
987654321 = 76 (0.43%)
111111 = 68 (0.39%)
0 = 59 (0.33%)
sunshine = 56 (0.32%)
letmein = 51 (0.29%)
password1 = 48 (0.27%)
passw0rd = 44 (0.25%)
baseball = 43 (0.24%)
monkey = 42 (0.24%)
1qaz2wsx = 41 (0.23%)
abcd1234 = 41 (0.23%)
123123 = 40 (0.23%)
success = 38 (0.22%)
Password1 = 35 (0.2%)
welcome = 34 (0.19%)
1234567 = 34 (0.19%)
maggie = 33 (0.19%)

Password length (length ordered)

1 = 61 (0.35%)
2 = 2 (0.01%)
3 = 5 (0.03%)
4 = 125 (0.71%)
5 = 246 (1.4%)
6 = 7075 (40.13%)
7 = 3421 (19.41%)
8 = 4283 (24.3%)
9 = 1913 (10.85%)
10 = 390 (2.21%)
11 = 99 (0.56%)
12 = 9 (0.05%)

Length and Complexity

One to six characters = 7514 (42.62%)
One to eight characters = 15218 (86.32%)
More than eight characters = 2411 (13.68%)

Only lowercase alpha = 13198 (74.87%)
Only uppercase alpha = 7 (0.04%)
Only alpha = 13205 (74.9%)
Only numeric = 1862 (10.56%)

Conclusion

Granted we only cracked a small portion of the list due to time restraints (because they were salted), but the results look very similar to what we have seen in the past.

The top 25 passwords used, length and complexity still seem very consistent with other password dumps that we have analyzed.

The majority of passwords used were 6 to 9 characters in length and used only lower case letters.

For better security, use long complex passwords incorporating random Upper and Lowercase letters, numbers and symbols. Also, use a different complex password for every server or website that you use, in case passwords are compromised as in this case.

~ by D. Dieterle on February 24, 2014.

One Response to “Analysis of Forbes Passwords Dumped by the SEA”

  1. […] Recently the Syrian Electronic Army (SEA) hacked the news site Forbes and publicly dumped more than a million records from their WordPress site. As usual we will take a look at this dump with the a…  […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: