[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Petraeus affair offers unintentional lesson on password reuse
By Nate Anderson
Nov 12 2012
Paula Broadwell, the biographer and reported mistress of CIA director
David Petraeus, appears to have been a subscriber to the "private
intelligence" firm Stratforâand that means that her Stratfor login
account and its hashed password were hacked and released last year by
The Stratfor hacker, who the US government says was Chicago-based Jeremy
Hammond, obtained a complete roster of all corporate client accounts.
These were released online in a massive file called stratfor_users.csv.
Inside that file appear the details for one paulabroadwell@xxxxxxxxx,
whose hashed password is listed as "deb2f7d6542130f7a1e90cf5ec607ad1."
It's not clear whether the leak was meaningfulâBroadwell's Stratfor
password and her actual Yahoo e-mail password might have differedâbut
the prevalence of password reuse raises the possibility that hackers
could have accessed her Yahoo e-mail or perhaps even the Gmail account
she allegedly used to correspond with Petraeus.
BuzzFeed speculated that this might have happened and that Anonymous
might have had access to Broadwell's Yahoo account, at least. Security
researcher Robert David Graham casts a skeptical eye on the story,
though, noting that Broadwell's password was a good one that resisted
obvious dictionary attacks. Graham had broken it, however, using a
brute-force attack that simply tried every letter and number combination
in existence, running 3.5 billion combinations per second against the
password until he found it.
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!