Petraeus affair offers unintentional lesson on password reuse

[InfoSec News <alerts () infosecnews org>]

http://arstechnica.com/tech-policy/2012/11/petraeus-affair-offers-unintentional-lesson-on-password-reuse/

By Nate Anderson
Ars Technica
Nov 12 2012

Paula Broadwell, the biographer and reported mistress of CIA director 
David Petraeus, appears to have been a subscriber to the "private 
intelligence" firm Stratfor—and that means that her Stratfor login 
account and its hashed password were hacked and released last year by 
Anonymous.

The Stratfor hacker, who the US government says was Chicago-based Jeremy 
Hammond, obtained a complete roster of all corporate client accounts. 
These were released online in a massive file called stratfor_users.csv. 
Inside that file appear the details for one paulabroadwell () yahoo com, 
whose hashed password is listed as "deb2f7d6542130f7a1e90cf5ec607ad1."

It's not clear whether the leak was meaningful—Broadwell's Stratfor 
password and her actual Yahoo e-mail password might have differed—but 
the prevalence of password reuse raises the possibility that hackers 
could have accessed her Yahoo e-mail or perhaps even the Gmail account 
she allegedly used to correspond with Petraeus.

BuzzFeed speculated that this might have happened and that Anonymous 
might have had access to Broadwell's Yahoo account, at least. Security 
researcher Robert David Graham casts a skeptical eye on the story, 
though, noting that Broadwell's password was a good one that resisted 
obvious dictionary attacks. Graham had broken it, however, using a 
brute-force attack that simply tried every letter and number combination 
in existence, running 3.5 billion combinations per second against the 
password until he found it.

[...]

______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org