Both tools calculate a MD5 hash from a word list, of which different permutations can be defined by the person trying to crack the password. Young also used password lists from other noted data breaches including Sony (17,000 passwords), Rockyou (14 million), PHPBB (278,000) and MySpace (36,000).
Password lists are useful, since there is a good chance that people will have already picked easy ones. Stratfor's data didn't disappoint, and Young found that many of its passwords were contained on the lists from other data breaches, such as "jasper10," "swordfish" and "green101."
Young said his team has just a small budget and will probably calculate possible lower-case passwords as long as eight characters. Beyond that, more computing power is needed, as just calculating all of the possible lower-case word combinations for a 10-character word starting with "A" would consist of some 2.2 TB of data, Young said. All of the permutations of a possible password combination is known as the "word size."
Nation-states would easily have the computing muscle. Young said his 120 computers are "nothing compared to what a concentrated attack from the NSA or China or North Korea could throw at this."
Sign up for Computerworld eNewsletters.