Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Antichat hacker forum data breach reveals weak passwords are endemic

According to Brian Krebs of KrebsOnSecurity, last month he sent a massive database file - which was supposedly the user database of Antichat.ru, a Russian language hacker forum that has attracted more than 41,000 users since it was founded in the early noughties.

"By matching the user names in the database with those listed in the public pages of the forum, I discovered that I'd been given a snapshot of all Antichat user information and private messages prior to June 2010, when Antichat.ru apparently experienced a data compromise", he says in his latest security blog posting.

"I wanted to match the Antichat user names, associated email and ICQ addresses with those of other forums for which I've collected user databases", he explained.

The former Washington Post security reporter went on to say that he also wanted to see how many of the passwords were easily crackable - and to carry out this task, he tapped the resources of an anti-spam specialist who has access to some serious hardware and software capable of cracking thousands of passwords per hour.

Krebs found more than 18,000 of the 41,037 passwords in the database were crackable within a few days, and that 4,500 passwords were used by five or more individual users.

The most easily-guessed passwords, he asserts, were six characters long or less, and 75% of the top 20 most common simple passwords were uncomplicated number strings.

More than 3% of Antichat users whose passwords were cracked picked one of the simplest passwords, 123456, whilst 1.77% chose 111111. In addition, just over 1% had selected 123123 as their password.

Another 196 users - just under 0.5% - opted for QWERTY, whilst a further 65 Antichat users had a password of 0.

"Although nearly half of the Antichat user passwords were crackable, the passwords aren't useful for gaining access to Antichat user accounts", says, adding that forum administrators have changed the site's login process to automatically tie the user's to their internet address.

However, he notes, the internet address data tied to each account may be of interest to law enforcement investigators.

Krebs says that the hardware used to crack the Antichat passwords was an EVGA GTX 295 graphics card running Hashcat software under CUDA.

The Antichat forum, meanwhile, runs on Vbulletin 3.0, which uses a salted hash to add complexity to stored passwords. Depending on the approach used, the number of hashed passwords processed in an hour ranges between 1,000 to 7,000, which Krebs says compares with many billions of permutations per hour on unsalted hashes.

The number `cracked' per hour, notes the security researcher, depends on the complexity of the passwords and the method of attack being used.

According to Krebs, his anti-spam colleague worked on this hash list for about 18 days, operating on a 24/7 basis, with the total number of passwords that were cracked was 18,225 of 41,037, or 44% of the total.

"It may be that many Antichat users weren't worried about picking strong passwords because they didn't care whether their accounts got hacked", he said.

"But it's important that KrebsOnSecurity readers understand the basic principles for picking strong passwords and for avoiding practices that lead to weak and easily-cracked passwords", he added.

What’s Hot on Infosecurity Magazine?