Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords From PHPBB Attack Analyzed

Posted by Soulskill on from the convenience-trumps-security dept.

Robert David Graham writes "The hacker who broke into phpbb.com posted the passwords online. I was sent the password list, so I ran it through my analysis tools and posted the results. Nothing terribly surprising here; 123456 and password are the most popular passwords as you would expect. I tried to be a bit more creative in my analysis, though, to get into the psychology of why people choose the passwords they do. '14% of passwords were patterns on the keyboard, like "1234" or "qwerty" or "asdf." There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e." I spent a while googling "159357" trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among right-hand people, "159357" will be popular among lefties.'"

14 of 299 comments (clear)

  1. The horrible problem by Z00L00K · · Score: 4, Insightful

    It's a horrible problem of having leaked passwords, and the only way around it is to avoid logging the cleartext password and do a hash of the password combined with a salt before storing it.

    In that way it's at least not too easy to recreate the password used by various users.

    It's of course standard procedure, but it just makes it evident how incredibly trivial some systems are built.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    1. Re:The horrible problem by NeoThermic · · Score: 3, Insightful

      Just to put a huge hole in your rant, the passwords in question *were* md5'ed. They were only in md5 format because they were passwords left unconverted since the hash algo changed in phpBB3. To convert them, it requires the user in question to log in just once post-conversion. The accounts cracked had not done that and were thus very unused accounts.

      NeoThermic

      --
      Use my link above, or to view my server, NeoThermic.com
    2. Re:The horrible problem by asdfghjklqwertyuiop · · Score: 4, Insightful

      When most of your users are chosing passwords like "password" and "1234" no hashing is going to help. Those are the first things anyone will try when using brute force.

      Hashing would buy competent, caring* users with strong passwords a little bit of time to change their password, assuming the intrusion is discovered and the users are notified quickly enough.

      *: That's another mistake a lot of site designers make: assuming that the users care about the security of the accounts they set up. Many times the users simply want access to some content on a web site and once they have it couldn't care less about their account. It was just a meaningless hoop they had to jump through to get something. If the compromise affects the web site more than its users then its time to stop making people create an account for every little thing so your marketing department can gather personal information.

  2. Re:159357 popular with lefties? by Carewolf · · Score: 4, Insightful

    Unfortunately it can also make it impossible to login if you are trying to login remotely from a foreign computer, for instance to check mail while traveling.

  3. Re:Left and right reversed? by Ian+Alexander · · Score: 4, Insightful

    I've never moused with my left hand on anything approaching a regular basis- it's simply too awkward. I was just taught to use my right hand to mouse like everyone else in elementary school so that's what I do.

    --Southpaw

  4. Re:159357 popular with lefties? by Aranykai · · Score: 2, Insightful

    Because they place their left hand on the mouse, leaving the right hand on the right side of the keyboard. Its only natural to use the number pad instead of moving their mouse hand.

    --
    If sharing a song makes you a pirate, what do I have to share to be a ninja?
  5. Are they the problem? by khasim · · Score: 5, Insightful

    someone 'analyzed' another password list for correlations and found nothing of inherit value to security of than 'people are a problem'.

    People are the weakest link in any security program. But does that make them the "problem" or does it mean that we're approaching security from the wrong angle?

    Passwords suck. People are not capable of memorizing enough entropy to provide more than one or two decent passwords.

    So do not focus on "strong" passwords as your only defense against attack.

    One approach is to encourage "weak" passwords (word.number.word) that users can write down ... but then focus on monitoring and login delays so that any attack will be detected before it even has a one in ten million chance of success.

    Thank you for registering at slashdot. Your password is kitten6apple. Please write it down. If you wish to change it, click HERE. There will be a 10 second delay enforced between login attempts and a 10 minute delay after 3 failed login attempts.

    There. As long as they don't store the passwords in the clear (or as hashes without including a random salt) you should be fairly "secure". At least "secure" enough for a "social networking" site.

    For your bank or other financial institution, you'd want a second, non-Internet-based, channel for verification of transactions. Such as an automated call to your phone.

    People are not the "problem". People's limitations SHOULD be part of the design specifications for the security program.

    1. Re:Are they the problem? by Glendale2x · · Score: 5, Insightful

      The other problem is that every damn thing on the internet now requires a login and password - so much that we start using crap passwords like "asdf" for sites like your phpbb forum login, which happens to be the same as the other 50 forums you have accounts on or ever needed to register for to ask a one-off question.

      --
      this is my sig
    2. Re:Are they the problem? by LihTox · · Score: 3, Insightful

      I did think of that, but I still say passwords need to be treated like credit card numbers, and that includes allowing for the possibility that they are stolen. If it's possible that, just by knowing your password, a crook can liquidate your assets with no recourse for you, then a password is inadequate security no matter how often you have them changed or how complicated they are. Or alternatively, people need to be insured against that sort of thing happening.

  6. Re:159357 popular with lefties? by basscomm · · Score: 3, Insightful

    I'm a leftie, and my mouse is on the right, like.. well.. all the other lefties I know. Actually, I have never seen someone use a mouse of the left, though I'm sure that weirdo exists.

    I've done tech support for several hundred Average Joe computer users, and out of those, I've seen the mouse on the left-hand side of the keyboard twice, and only one of those times did the person actually switch the buttons around.

    I'm fairly well convinced that most people don't realize you can actually put the mouse on the left.

    --
    http://crummysocks.com
  7. Re:Passwords are the Problem by zippthorne · · Score: 3, Insightful

    Fingerprint readers solve the "username" part of authentication. Not the "password" part.

    --
    Can you be Even More Awesome?!
  8. Re:159357 popular with lefties? by renoX · · Score: 2, Insightful

    >>I'm fairly well convinced that most people don't realize you can actually put the mouse on the left.

    As a semy-lefty, I disagree for me the reason why leftie don't use the mouse with their left-hand is that it's easy enough with their right hand so they don't change it.
    It takes a lot of time and effort to learn to write, not so much using a mouse..

  9. Re:159357 popular with lefties? by ajlisows · · Score: 2, Insightful

    I worked in a desktop support capacity for a company some years back that had a pretty good number of lefties that had the mouse on the left side of the keyboard with the buttons switched around. I think it is one of those things that if one lefty in a corporate environment figures it out, other southpaws take note and ask how it is done.

  10. Re:159357 popular with lefties? by ShieldW0lf · · Score: 3, Insightful

    I'd suggest using sentences, taking the first letter from each word.

    "I was born in Timbuktu in 72 and I don't know what to do!" turns into "IwbiTi72aIdkwtd!"

    16 characters, upper and lower case, numbers and punctuation, and it's practically impossible to forget.

    You can also program yourself this way.

    "I will get up at 8 and not be late for work!" turns into "Iwgua8anblfw!", which is still strong, but also causes you to repeat the phrase to yourself every time you log in, so maybe you won't get canned for showing up at your desk at quarter to 10.

    --
    -1 Uncomfortable Truth