Slashdot Mirror
Passwords From PHPBB Attack Analyzed
Robert David Graham writes "The hacker who broke into phpbb.com posted the passwords online. I was sent the password list, so I ran it through my analysis tools and posted the results. Nothing terribly surprising here; 123456 and password are the most popular passwords as you would expect. I tried to be a bit more creative in my analysis, though, to get into the psychology of why people choose the passwords they do. '14% of passwords were patterns on the keyboard, like "1234" or "qwerty" or "asdf." There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e." I spent a while googling "159357" trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among right-hand people, "159357" will be popular among lefties.'"
The numeric keypad is on the right ... how exactly does this work out?
someone 'analyzed' another password list for correlations and found nothing of inherit value to security of than 'people are a problem'.
Chalk yet one up for the Adams team.
What the hell, Slashdot? Stop posting all my passwords!
It's a horrible problem of having leaked passwords, and the only way around it is to avoid logging the cleartext password and do a hash of the password combined with a salt before storing it.
In that way it's at least not too easy to recreate the password used by various users.
It's of course standard procedure, but it just makes it evident how incredibly trivial some systems are built.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
I suppose whereas "1234" is popular among right-hand people, "159357" will be popular among lefties.
Last time I looked, the keypad was on the right of the keyboard. ^^
With so many other methods of user verification why do we still continue with passwords? My work uses so many passwords for each application, and forces you to change them montly, and some of them force you to use different passwords, that you can look at any monitor and find a postit note with complete access to the system. When I mentioned this to the SA's. They said they need all of the passwords for security? Why not use thumbprints or cards for verification like the hospital I used to work at? Never typed a single password. Had to take the gloves off once or twice, but never a password.
Comment removed based on user account deletion
Doesn't that make you a criminal too?
Oh, it was just for 'educational purposes only' so that makes it all better.
---- Booth was a patriot ----
That's how I've been doing it for ages.
78945617946123 would be my default password,
sadly, there wasn't enough room for 7894123794513.
Sex and God are not even on the list.
People are the weakest link in any security program. But does that make them the "problem" or does it mean that we're approaching security from the wrong angle?
Passwords suck. People are not capable of memorizing enough entropy to provide more than one or two decent passwords.
So do not focus on "strong" passwords as your only defense against attack.
One approach is to encourage "weak" passwords (word.number.word) that users can write down ... but then focus on monitoring and login delays so that any attack will be detected before it even has a one in ten million chance of success.
Thank you for registering at slashdot. Your password is kitten6apple. Please write it down. If you wish to change it, click HERE. There will be a 10 second delay enforced between login attempts and a 10 minute delay after 3 failed login attempts.
There. As long as they don't store the passwords in the clear (or as hashes without including a random salt) you should be fairly "secure". At least "secure" enough for a "social networking" site.
For your bank or other financial institution, you'd want a second, non-Internet-based, channel for verification of transactions. Such as an automated call to your phone.
People are not the "problem". People's limitations SHOULD be part of the design specifications for the security program.
And change the combination on my luggage!
How many key patterns are used by people who type with dvorak or colemak? I've always liked the extra security that comes with using an obscure (albeit superior) keyboard layout ;)
What lessons can we learn from a password list taken from a mailing list? Most if not all people would instinctively choose a weak password for something like that, and those that didn't wouldn't use their "normal" strong one for fear of something like this incident happening. After all, it's only worth choosing a strong password if there's something worth protecting with it. Nobody (that's nobody) chooses new passwords for every system they use. So what's left - "password" and "12345". Not a big surprise.
"And the meaning of words; when they cease to function; when will it start worrying you?"
God, schmod. I want my monkey man!
I group passwords two ways.
1. Sites that have no personal info or I don't really give a damn about. Those share 2 or 3 different passwords depending on their lame (no special characters!) requirements. Pick two words, use 7334 spelling and separate them by a punctuation mark. For example "mad money" becomes "M@d;m0n3y". Good luck guessing stuff like that.
2. Sites that I care about, like online banking or ones that contain personal information (LinkedIn, for example), have random line noise for passwords and I just write them down. There is a notebook in my desk with all the passwords. The desk is locked and in my home office. That is far more secure than trying to make them easy enough to memorize.
3. If you use Firefox, make sure you use a Master Password if you allow it to remember passwords.
Someone posted this earlier and it is a useful BASH script.
dd if=/dev/random bs=200 count=1 | tr -cd 'A-Za-z0-9!@#$%^&*()_+'; echo
Copy a group of 10-15 out of the middle of that and use it for a password.
Learning HOW to think is more important than learning WHAT to think.
Does this message thread constitute an "access control circumvention device" under the DMCA? It's a reach to consider a message board thread to be a "device," but information herein does identify a statistical bias toward passwords used for access control. That wasn't the original intent of the DMCA ... but the original intent is irrelevant.
Even tho I'm right handed. I haven't switched the buttons. I did it because of carpal tunnel syndrome. Switching turned out to be pretty easy, tho even after 2 years I still switch back for a fast moving game; my left hand just hasn't got the speed & accuracy of my right.
On the one hand you take life too seriously, and on the other, you do not take playful existence seriously enough. Seth
I don't know about other people, but I really don't care if someone hacks or guesses my forum password. There is virtually no damage they can do. It's not as if they can get my credit card number, or even my real email address from my account information. The worst thing they could do it post goatse pictures all over the place and get me banned. It's for this reason that I don't spend much, if any, time creating a robust or unique password for forum sites. Same goes for myspace, facebook, or any other random website that requires a login for no good reason (I'm looking at you, nytimes.com).
When someone hacks the FBI network and posts all their passwords and finds the same pattern, give me a call and I'll freak out along with you. Trivial web sites are going to beget trivial passwords.
So the combination is 1... 2... 3... 4... 5...? (stops to open up mask) That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
Comment removed based on user account deletion
I'm a leftie, and my mouse is on the right, like.. well.. all the other lefties I know. Actually, I have never seen someone use a mouse of the left, though I'm sure that weirdo exists.
I have mice on both sides.
I'm almost ambidextrous so this way I can reach for a mouse with whichever hand isn't currently holding my coffee.
I do get a lot of "oh, you're left handed?" from people who see me reach for things with my left hand though. I never understood why people limit themselves to 50% of their usable hands.
You can't take the sky from me...
" I spent a while googling "159357" trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad."
I've never used that password, though I didn't have to think for a second to associate those numbers to the KeyPad... I'm a genius?
Minti: What's that huge shuriken in your back?! Kin: It's the instrument of my victory.
I'm honestly not even sure what phpbb is but I really doubt the password distribution there is representative of passwords on things people care about.
I have the same, really lame password on almost every forum-type site. Because, you know what? I don't care! Worst case, someone impersonates me on Slashdot. Oh, the humanity! Oh, the horror!
Likewise, the Ubuntu system on my LAN has the password "password" on all accounts, including root. I trust the people who can get into my house, and if I can't trust them, perusing my MP3s or my Quicken backup is the least of my worries.
On the other hand, I have unique passwords on sites like fidelity.com and westsuburbanbank.com - hard passwords, ones I can remember but would never be on one of these lists.
The preferred solution is to not have a problem.
Hi, as a left-handed guy (who doesn't like to be called "leftie") i can assure you that it's more common 1qaz2wsx than the numerica keypad thing.
Also as a ibm employee, combinations of three consecutive letters and numbers are a common thing in "automatic internal password generators".
cheers.
so i'd like to know if my password is in there... where's the list?>
What the hell, Slashdot? Stop posting all my passwords!
12345?! That's the combination to my luggage! (And to my planet's airlock.)
Comment removed based on user account deletion
Who needs a list of the 500 worst passwords. What we need is a list of the 500 best passwords.
Maybe it's not the lefties who like this, but the 1337 haxor wannabe's who find this password appealing?
Signatures are a waste of bandwi (buffering...)
You could just use
dd if=/dev/random bs=1 count=x | base64
where x is an integer multiple of 3 (you can do non-multiples, but 24 bit chunks line up nicely with the uuencoder.)
Why use a whole python script, when you can use a short pipeline and coreutils?*
*now, I would like to know a quick way to use dice instead. Piping characters through a hash feels like cheating to me.
Can you be Even More Awesome?!
This is how the Poles hacked into the German enigma - careless use of keyboard patterns leading to superposition and a break of the duplicated passwords.
Report back to us the first time your house gets broken into, and the perp finds your little black book of passwords.
Fingerprint readers only work for on-site identification with a trusted path between the reader and the thing being granted access to. If there is not trusted path, the fingerprint image is simply like a password--one that you can't change if it gets compromised.
No, the real solution is to use keychains. You don't need anything special for that. Just put all your keys in a keychain on a USB memory stick and carry that around.
All the software is already there on Gnome and OS X. The only trouble is that the keychain software doesn't use keychains on USB drives by default, so you have to go through some pain to set this up on every computer that you use. Also, you effectively have multiple keychains, for example one for Firefox and one from the operating system.
In my company, they force us to change passwords every 30 days. The result? Passwords written and taped to monitors or desks or 123456789 type passwords.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
I keep it the same as my cat's name, so it's easy to remember. My cat's name is HZpn8BINlP5Lows2Y@z2I%L!Cvlga&GE128 but I change it every month.
Try applying vector patterns to the passwords. Eg: the 1q2w3e is a \/\/\ pattern. The 159357 pattern would just be a big X.
Vector patterns like this are how I remember phone numbers.
BTW, I'm left handed and I have no idea at all how you jumped to that conclusion.
Dude, you actually had to google 159357 to realize it was a num-pad thing? Time to hand in his geek card Robert!!!
I was "sent the password list" too. In case you'd like to perform your own analysis, the complete data set is available.
Following a cursory glance through these "passwords," I don't know whether to laugh or cry. My take: Nothing of value was lost.
Thank you, Edward Snowden.
"Arguments from authority are worthless." —Carl Sagan
Nowadays it's hard to find a non-right-biased, symmetrical mouse (at least a good one).
The cheap basic Microsoft Optical mouse is the best mouse I've found - the fancy ones with extra buttons and exciting shapes are a pain to use - and it's symmetrical. It's the best thing Microsoft's ever made... maybe even better than Xenix.
I once had to write a PPP script (remember those?) to log into my dialup ISP at that time. Apparently, there were different servers programmed by different programmers, because sometimes it would prompt me for 'Password' (capitalized) and sometimes for 'password' (all lower case). So to write a script that would catch both prompts, I looked for the string 'assword'.
That's what a password is, or at least aptly describes the place from which you pull it.
Since a lot of the non-left-handed discussion revolves around passwords thought I'd share my method - I have to make a LOT of passwords for my job and keeping track of them is insane so for most things I use this -
take a keyword, say, the site name, the email address, or the login name you're using for a system. Take the numeric position of the first letter, add one on and that's where I start choosing 6 letters of a 'secret' 13 letter word I use. then add the square of the number of letters in the keyword at the end.
for example, if logging into ebay and the secret word was quellesuprise I'd start with the 6th character of the secret word, type 5 more letters of the word, then 16. so for ebay it's esupri16.
it works, but could be better. a) it not always obvious what the keyword should be and b) if someone say 4 or 5 of my passwords they could guess the system and crack many more.
closed minded is as closed minded does
The article makes it sound as though PHPBB's forum system has been hacked, when in fact it was just some third party mailing list software that they use.