Passwords From PHPBB Attack Analyzed

Robert David Graham writes "The hacker who broke into phpbb.com posted the passwords online. I was sent the password list, so I ran it through my analysis tools and posted the results. Nothing terribly surprising here; 123456 and password are the most popular passwords as you would expect. I tried to be a bit more creative in my analysis, though, to get into the psychology of why people choose the passwords they do. '14% of passwords were patterns on the keyboard, like "1234" or "qwerty" or "asdf." There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e." I spent a while googling "159357" trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among right-hand people, "159357" will be popular among lefties.'"

Re:159357 popular with lefties?

As in : left hand on the mouse, right hand free to type something ?

Re:The horrible problem

[sakdoctor]

If you're going to rant about encryption then get modded +5, try to be factually correct so you don't mislead people.

CRC32 is a checksum algorithm.
Integrity algorithm - This doesn't mean anything!
MD5 and SHA1 are both hash algorithms.
MD5 is weak because it's not not collision resistant.
SHA256 and up are recommended.

For passwords simply appending the salt is sufficient. Hashes are not reversible. They can't be "undone mathematically".

There is a related issue called an extension attack, where data can be added without knowing the original hash value. For that you need an HMAC which is the correct way to incorporate ("mix and blend") a secret key with data.

Avoid adding rounds to weak hashes. Pick a larger hash. A 512bit hash has 1.3 Ã-- 10^154 possible outputs!

Do not reinvent the hash.
Do not reinvent the HMAC.
Learn the proper application of both.