[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Petraeus affair offers unintentional lesson on password reuse


By Nate Anderson
Ars Technica
Nov 12 2012

Paula Broadwell, the biographer and reported mistress of CIA director David Petraeus, appears to have been a subscriber to the "private intelligence" firm Stratforâand that means that her Stratfor login account and its hashed password were hacked and released last year by Anonymous.

The Stratfor hacker, who the US government says was Chicago-based Jeremy Hammond, obtained a complete roster of all corporate client accounts. These were released online in a massive file called stratfor_users.csv. Inside that file appear the details for one paulabroadwell@xxxxxxxxx, whose hashed password is listed as "deb2f7d6542130f7a1e90cf5ec607ad1."

It's not clear whether the leak was meaningfulâBroadwell's Stratfor password and her actual Yahoo e-mail password might have differedâbut the prevalence of password reuse raises the possibility that hackers could have accessed her Yahoo e-mail or perhaps even the Gmail account she allegedly used to correspond with Petraeus.

BuzzFeed speculated that this might have happened and that Anonymous might have had access to Broadwell's Yahoo account, at least. Security researcher Robert David Graham casts a skeptical eye on the story, though, noting that Broadwell's password was a good one that resisted obvious dictionary attacks. Graham had broken it, however, using a brute-force attack that simply tried every letter and number combination in existence, running 3.5 billion combinations per second against the password until he found it.


Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!