Wednesday, February 27, 2013

ABC Australia Password Dump Analysis

By now its no new news that ABC Australia got hacked and had a whole stack of database information leaked on the internet.

Amongst some of it was of course usernames, passwords and email addresses. Did the users of this website choose strong passwords? Did the website enforce strong passwords?

It starts out very bad - here is an excerpt from their terms and conditions : Ultimately, you are responsible for maintaining the secrecy of your passwords and/or any personal information

See ABC, this where you lost the plot. The servers are yours, the platform is yours and the data is ultimately yours (you claim ownership by way of requesting users to submit it). So to say that users are ultimately responsible for the secrecy of their passwords is probably the most absurd thing i've heard. Users are responsible for protecting their password, yes - but the website owner is responsible for ensuring that stealing its entire database and all the passwords is not possible! Otherwise you may as well let every single user have a say in your security policy and server and application configuration in fairness to the fact that you tell them they are ultimately responsible.

[EDIT: There are reports surfacing that the site was not hosted by ABC. However if it had their branding its bad enough and the above still applies.]

But enough rambling, lets get on to the meaty stuff:

Firstly, I spent about 4 hours in total cracking time on this list, so yes it can be improved but the result below is what could be done in a single day of the leak being available. However for what the purpose of this blog is - to analyse the leak - I think I cracked sufficient passwords to do such.

Hardware: 11 GPU's using VCL with vclHashcat and wordlists, rules, masks, hybrid, brute-force
Total Hashes : 49 575
Cracked Hashes : 37 571 [updated 28/02]
Thats roughly 75% of the hashes cracked.

Here are the general statistics:

Top Password Lengths

What we can see from above, is that 8 characters is the most used password length. However what we cannot see in this graph, was that the count "5" has 1 password that matched. This means the site allowed passwords with as low as 5 characters.

Top 10 Base Words

happy = 144 (0.39%)
password = 43 (0.12%)
jack = 41 (0.11%)
molly = 30 (0.08%)
bella = 29 (0.08%)
happiness = 27 (0.07%)
rose = 26 (0.07%)
purple = 26 (0.07%)
oscar = 25 (0.07%)
jane = 25 (0.07%)

Again nothing very out of the ordinary here. And obviously no checks for "dictionary" words or common words were done by the site...

Password Structure

Typical findings here, the majority were lowercase alphanumeric in use.

Usernames/Emails Occurrence as Passwords

Not many hits here, which actually fares well for the users. Obviously the website did not enforce not using emails or logins, but users seemed to primarily choose other password candidates.

General Stats

Most widely used year in passwords was 2010
Most widely used color in passwords was red
Most widely used number at the end of passwords was 1
Most widely used digit combination at the end of passwords was two digits.
Most widely used calendar months in passwords was March
Most widely used day of the week in passwords was Monday
Most widely used base word to form other passwords was "happy"

So in conclusion, it seems that ABC Australia* did almost no security testing such as vulnerability assessments or penetration tests on this site, but more concerning is that their security policy that drove the authentication model for the website appears to have been very lacking. Perhaps they will now invest in a better-built security model going forward.

*[EDIT: See above note about the site being hosted externally. As mentioned ABC still had a say in the security if they were using it however]

Thats all for now,

Dimitri AKA Rurapenthe
Twitter : @Bitcrack_Cyber