A partial analysis of another massive leak of user passwords has again shone a light on the scourge of weak passwords used to protect sensitive data in online accounts, according to a report by The Tech Herald.
Using the leaked password list from STRATFOR, the open source intelligence service that was hacked last month, reporters from The Tech Herald were able to decipher over 80,000 of the hashed passwords, around 10% of the more than 800,000 passwords stolen in the attack. The analysis showed that trivial passwords like 123456, 11111111 and 123123 were common among STRATFOR customers.
STRATFOR, a global intelligence firm used by both private industry and the government, was partially to blame, the report found. The organization’s Web page allowed account holders to create passwords as short as one character to secure their account.
To crack the passwords, the Herald used a software tool called “Hashcat” to process the list of hashed passwords against lists of frequently used passwords, names in Arabic and Iranian, words from the King James Bible, Australian words, words from George Orwell’s ‘1984’ and lists of previously publicized passwords leaked from Facebook, Myspace, Hotmail and last year’s Gawker leak, as well as passwords from 2009’s phpBB breach and RockYou’s 2009 data leak.
Weak and woefully simple passwords continue to be a problem in security, even for large firms like STRATFOR. In addition, users frequently reuse passwords between Web sites, meaning that hacks of even low value news and information Web sites can provide the keys to higher-value corporate or government systems.
For the full password breakdown, the methodology used and a list of some of the most popular passwords by character number, head here.