Utah Valley University researchers have analysed the many hundreds of thousands of Stratfor user account credentials which were hacked by Anonymous late last year due to weak passwords.
After crunching the data on its 120-strong computer network, the University found that the users of Stratfor Global Intelligence – many of whom are actively involved in the IT security industry – were using weak passwords. This proves the fact that the human element in security is now the weakest link.
Put simply, they really should have known better, as the user list of the hacked accounts reportedly included US military personnel, IT staff at the Bank of America and JP Morgan, as well as IT professionals with IBM and Microsoft.
And if these professionals cannot get their password security sorted, then what hope is there for the rest of the Internet user community? This revealing analysis proves our constant mantra that conventional passwords are dead in the water on the security front – especially with powerful password crunching technology so readily available.
It is interesting that the Utah University researchers – who crunched their way through the MD5 password hashes for the Stratfor user account credentials revealed by the Anonymous hacktivists – were able to decode more than 160,000 passwords for various users.
Through the use of freely available cracking software such as John-the-Ripper and Oclhashcat-Plus, the researchers were able to generate some eight million passwords per second, and 62 million passwords per second – respectively – using their network of computers.
In theory, if account holders had strong enough passwords, then even the use of Oclhashcat-Plus – which harnesses the number-crunching capability of a PC’s graphics processor(s) – then a brute force attack would not have been possible.
But, as this research proves, human nature means that many people are lazy, and elect to use eight digit or less character passphrases, making the task of the researchers very easy.
And if the Utah University researchers have been able to crunch these records, then you can bet your bottom dollar that their criminal counterparts have also been conducting similar analyses. This proves that ID/password security really is out-moded, and that Internet users now need to be thinking in terms of two-factor authentication.
The problem with most authentication systems seen to date, however, is that they require the use of a hardware token. One approach is to use the power of the users’ smartphones (something you have) and an answer to a known question (something you know) to ensure that only the person entitled to access the account is allowed to use the online facility.
The use of tokenless authentication makes the process of stepping up from out-moded ID/password security all the more easier. The use of authentication significantly raises the security bar and remediates the shortcomings of the human element when logging in.