Analysis of Forbes Passwords Dumped by the SEA

SEA Forbes

Recently the Syrian Electronic Army (SEA) hacked the news site Forbes and publicly dumped more than a million records from their WordPress site. As usual we will take a look at this dump with the analysis program “Pipal”.

This password dump was a little different than the ones that we have seen in the past. As explained on Sophos’ Naked Security site, the passwords were stored encrypted in the PHPass Portable format as seen below:

You can see from this example picture from Sophos that the passwords are stored in an encrypted hash, and that each account also includes what is called a “salt”.

The hashes that we have looked at in the pass didn’t have a salt – Basically a random number used when creating the hash to make sure each hash is unique.

This makes decrypting the passwords a lot more time consuming, as before all we needed to do was crack the hash and we would be able to crack other hashes that used the same password very quickly.

Not so with a salted password, each password will be unique, so we have to crack each and everyone individually.

So, to attempt to crack the entire million plus password hashes would have taken something like 10 years. So, for time, and sanity sake, I pulled about 20,000 hashes randomly from throughout the dump.

It still took several hours to work through this list.

As I have seen cracking speeds in the thousands per minute when cracking non-salted hashes, this time it averaged about 15 per minute!

So, without further ado, here are some of the results:

Top 25 passwords

millenium = 761 (4.32%)
123456 = 597 (3.39%)
password = 351 (1.99%)
q1w2e3r4 = 266 (1.51%)
123456789 = 142 (0.81%)
abc123 = 97 (0.55%)
12345678 = 92 (0.52%)
qwerty = 91 (0.52%)
987654321 = 76 (0.43%)
111111 = 68 (0.39%)
0 = 59 (0.33%)
sunshine = 56 (0.32%)
letmein = 51 (0.29%)
password1 = 48 (0.27%)
passw0rd = 44 (0.25%)
baseball = 43 (0.24%)
monkey = 42 (0.24%)
1qaz2wsx = 41 (0.23%)
abcd1234 = 41 (0.23%)
123123 = 40 (0.23%)
success = 38 (0.22%)
Password1 = 35 (0.2%)
welcome = 34 (0.19%)
1234567 = 34 (0.19%)
maggie = 33 (0.19%)

Password length (length ordered)

1 = 61 (0.35%)
2 = 2 (0.01%)
3 = 5 (0.03%)
4 = 125 (0.71%)
5 = 246 (1.4%)
6 = 7075 (40.13%)
7 = 3421 (19.41%)
8 = 4283 (24.3%)
9 = 1913 (10.85%)
10 = 390 (2.21%)
11 = 99 (0.56%)
12 = 9 (0.05%)

Length and Complexity

One to six characters = 7514 (42.62%)
One to eight characters = 15218 (86.32%)
More than eight characters = 2411 (13.68%)

Only lowercase alpha = 13198 (74.87%)
Only uppercase alpha = 7 (0.04%)
Only alpha = 13205 (74.9%)
Only numeric = 1862 (10.56%)

Conclusion

Granted we only cracked a small portion of the list due to time restraints (because they were salted), but the results look very similar to what we have seen in the past.

The top 25 passwords used, length and complexity still seem very consistent with other password dumps that we have analyzed.

The majority of passwords used were 6 to 9 characters in length and used only lower case letters.

For better security, use long complex passwords incorporating random Upper and Lowercase letters, numbers and symbols. Also, use a different complex password for every server or website that you use, in case passwords are compromised as in this case.

Password Analysis of Journal News LoHud Subscriber Database Dump

As usual, I like to take sanitized lists (user account information stripped) of public password dumps and analyze them for password strength and patterns. Recently the subscriber database for Journal News, Lower Hudson Valley was allegedly hacked and was published publicly online.

The dump had user account passwords stored in MD5 hashes. So they needed to be cracked before they could be analyzed.

There were about 10,000 user accounts leaked in the dump. Many had duplicate password hashes, so the duplicates were removed. I took the password hashes that had not been cracked (some were already cracked in the dump) and ran them through an MD5 hash cracker. In a couple hours I was able to retrieve just over 85% of the passwords.

In effect there were 8,361 unique hashes. I was able to retrieve 7,148 in a fairly short amount of time. I then took the cracked passwords and ran them through Pipal, the password analysis program.

Here are the results from Pipal

Top 10 words and base words used:

Base Words

Very interesting as there are 10 passwords that are almost ALWAYS in the top ten and none of them were in this list. Okay, “password” was used as a base word, but other than that these are all new.

Let’s take a look at the password lengths:

Password Graph

Password Length 2 Password Length

A whopping 80% of the passwords were 8 characters or less, and over 50% of the passwords only used lowercase letters!

Character Set

A common practice is that users will use a word and stick a number or numbers on the end to “make it more secure”. About 25% of the passwords in this list used 3 or fewer numbers at the end of the password.

Last Digit Count

Last digit on end

Single Digit on end

And only a few passwords used the year in their password.

Top Ten Years

Overall the users in this case seemed to use very simple passwords – mostly lower case passwords with some numbers mixed in. Using long complex passwords would have made these passwords much harder to crack.

Increasing the password length and using a mix of upper and lower case letters, numbers and special characters dramatically increases the cracking times.

The top 25 Worst Passwords of 2012

One thing I like to do when a new password list is dumped from a hacker attack is to analyze them for patterns with a program like Pipal. Every year Splashdata takes a look at all of the passwords dumped over the year and provides a list of the worst passwords that exist. These passwords are short, simple or easily guessable.

So without further delay, here are the top 25 passwords NOT to use on your system according to Splashdata:

#              Password                Change from 2011

1               password                Unchanged
2               123456                    Unchanged
3               12345678                 Unchanged
4               abc123                    Up 1
5               qwerty                    Down 1
6               monkey                   Unchanged
7               letmein                   Up 1
8               dragon                    Up 2
9               111111                     Up 3
10             baseball                   Up 1
11             iloveyou                   Up 2
12             trustno1                  Down 3
13             1234567                   Down 6
14             sunshine                  Up 1
15             master                     Down 1
16             123123                     Up 4
17             welcome                  New
18             shadow                    Up 1
19             ashley                      Down 3
20             football                   Up 5
21             jesus                       New
22             michael                   Up 2
23             ninja                       New
24             mustang                  New
25             password1               New

New this year is the password compared to its position from last year. As you can see people are still using many of the same, easy to guess passwords year after year.

We have shown several password dumps analyzed with Pipal over the last few years and be it a small password dump of 20,000 or a large one of over 400,000, the top ten passwords are usually the same.

I can see why “password, 124567, and abc123” are always at the top of the list, but what in the world is people’s fascination with the password “Monkey”? It has always shown up in the top ten list of passwords used in every test that we have run.

Needless to say if you use any of these 25 passwords, change them now. Long complex passwords using upper and lower case letters, numbers and special characters are always the best way to go. As complex passwords reach 10 or greater characters the time it takes to crack them increases immensely.

On Windows based systems it is recommended to use 15 or more characters for your passwords. As on some older systems, 14 characters or less can be cracked in a very short amount of time (as few as 5 seconds!) if the password hashes can be obtained and if the system allows weak LM hashes.

Yahoo Password Dump Analyzed

Wow, not one, but two password dumps in one day. Hackers leaked a very large number of Billabong and Yahoo passwords in plain text with no need to try to crack them. We looked at the Billabong one earlier today using the password analysis tool Pipal, now let’s take a look at the Yahoo dump.

This one is huge, almost 450,000 users. Though from numerous reports most of these accounts leaked were not active, the latest reports are saying that many of the included cracked accounts were passwords to other sites. According to ABC News:

Some of the Yahoo Voices’ accounts listed email addresses with AOL, Gmail, Hotmail and Windows Live. Security firm Sucuri said that more than 100,000 Gmail addresses were included in the breach.”

And take into account that many people never change their passwords or use the same password at multiple sites and this is very concerning. Well, let’s go ahead and take a look at the dump as analyzed with Pipal.

Here are the top 7 Password Lengths:

The Complexity of the Passwords:

And Character Sets Used:

And as always, for some odd reason the password “monkey” always seems to show up in the top 10 lists. But this time it did not make it as a top 10 password:

It seems to have been supplanted by the password “0”. Two hundred and two people actually used “0” as a password!

Okay for the record, “monkey” was not a complete no-show. It was one of the top 10 base words!

It beat out Jesus, love, money and ninja!

All joking aside, what is bothersome is that some of the passwords leaked are pretty good passwords.

Check these out:

  • $coreS1BgM0rsl4me
  • $r87*CQG>36rkM

These would have taken a long time to crack if they had to be cracked manually. But here is the kicker, as the database that held the passwords was compromised via SQL injection, the hackers were able to grab the contents of the entire database. It doesn’t matter that some of the users had 17 character+ complex passwords. There was a web application security issue that led to the entire account database being dumped.

This really should drive home the fact of using good security measures at the network and especially the application server levels.