Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords From PHPBB Attack Analyzed

Posted by Soulskill on from the convenience-trumps-security dept.

Robert David Graham writes "The hacker who broke into phpbb.com posted the passwords online. I was sent the password list, so I ran it through my analysis tools and posted the results. Nothing terribly surprising here; 123456 and password are the most popular passwords as you would expect. I tried to be a bit more creative in my analysis, though, to get into the psychology of why people choose the passwords they do. '14% of passwords were patterns on the keyboard, like "1234" or "qwerty" or "asdf." There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e." I spent a while googling "159357" trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among right-hand people, "159357" will be popular among lefties.'"

55 of 299 comments (clear)

  1. 159357 popular with lefties? by LordKaT · · Score: 5, Funny

    The numeric keypad is on the right ... how exactly does this work out?

    1. Re:159357 popular with lefties? by Anonymous Coward · · Score: 5, Informative

      As in : left hand on the mouse, right hand free to type something ?

    2. Re:159357 popular with lefties? by Carewolf · · Score: 4, Insightful

      Unfortunately it can also make it impossible to login if you are trying to login remotely from a foreign computer, for instance to check mail while traveling.

    3. Re:159357 popular with lefties? by Aranykai · · Score: 2, Insightful

      Because they place their left hand on the mouse, leaving the right hand on the right side of the keyboard. Its only natural to use the number pad instead of moving their mouse hand.

      --
      If sharing a song makes you a pirate, what do I have to share to be a ninja?
    4. Re:159357 popular with lefties? by RedK · · Score: 3, Interesting

      I'm a leftie, and my mouse is on the right, like.. well.. all the other lefties I know. Actually, I have never seen someone use a mouse of the left, though I'm sure that weirdo exists.

      --
      "Not to mention all the idiots who use words like boxen."
      Anonymous Coward on Monday August 04, @06:49PM
    5. Re:159357 popular with lefties? by Valdrax · · Score: 2, Interesting

      Never would've thought of that. As a left-handed person, I still use the mouse with my right hand because that's where everyone else puts it. Also, I'd have to remap the left/right buttons to be able to use my index finger for the majority of clicking.

      (Coincidentally, I did use that as my phone password for a while after some Cisco phones at my job barred my traditional "12345" (idiots, luggage) VM password. I've never even really understood a need to secure my VM in the first place, but I digress.)

      --
      If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
    6. Re:159357 popular with lefties? by mikael · · Score: 2, Interesting

      Perhaps it is a difference between laptops and desktop keyboards. On a commodity laptop there is no numeric keypad, though there is the numlock key on some which allows the UIOJKL keys to be used as numeric keys.

      The quickest way of typing numbers is to use the the top row of keys. In that case, sequences like '1234', 'qwe123', q1w2e3' would be the most convenient. If you have a full sized desktop keyboard, then the availability of the keypad would allow the sequence 159357 to be typed in rapidly.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    7. Re:159357 popular with lefties? by freedomlinux · · Score: 3, Informative

      Another leftie here...
      I never use the mouse on the left and switching the button layout seems like an awkward hassle.

      Maybe I'm not used to it because I tend to use public computers where admins would disapprove of re-arranging.
      I'm just so used to the regular right-handed mouse and don't know any lefties for aren't.

    8. Re:159357 popular with lefties? by Majik+Sheff · · Score: 4, Funny

      I don't have a right hand you insensitive clod!

      --
      Women are like electronics: you don't know how damaged they are until you try to turn them on.
    9. Re:159357 popular with lefties? by basscomm · · Score: 3, Insightful

      I'm a leftie, and my mouse is on the right, like.. well.. all the other lefties I know. Actually, I have never seen someone use a mouse of the left, though I'm sure that weirdo exists.

      I've done tech support for several hundred Average Joe computer users, and out of those, I've seen the mouse on the left-hand side of the keyboard twice, and only one of those times did the person actually switch the buttons around.

      I'm fairly well convinced that most people don't realize you can actually put the mouse on the left.

      --
      http://crummysocks.com
    10. Re:159357 popular with lefties? by eggy78 · · Score: 3, Interesting

      This is getting a little off-topic, but I used to work with a guy that had a mouse on the left and right side of his keyboard (connected to the same computer). I don't know if he was left- or right-handed, but it was definitely a little odd. He claimed it dramatically increased his productivity and was a pretty amazing setup. I don't believe him.

    11. Re:159357 popular with lefties? by vorpal22 · · Score: 3, Interesting

      I'm right handed, and I trained myself to use my mouse with my left hand. The reason? Because I was starting to develop wrist problems back when I was in IT and had to spend eight hours a day on the computer. Using the mouse with your right hand entails having to move over a much larger area of keyboard to get to it (numerical keypad, arrow keys, etc). With the left hand, you only have to travel a small distance. Also, being mouse-ambidextrous allows you to switch back and forth, thus taking the entire burden off of one hand.

      In the end, I decided to go with a trackball, which is built for the right hand (MS optical one) but which I use with my left hand. Furthermore, it's great because since it's a trackball and on the wrong side of the keyboard, it keeps people away from my computer, which is just fine with me :-).

    12. Re:159357 popular with lefties? by auric_dude · · Score: 5, Funny

      Nothing too sinister about being left handed.

    13. Re:159357 popular with lefties? by tgzuke · · Score: 2, Interesting

      I disagree. I'm left-handed, and my mouse is on the left side. My work (like most others, I'm guessing) has ambidextrous mice, and I use a Razer mouse at home. I just suffer when I find an ergonomic one in the wild, but that's no different than encountering any right-handed device, like can openers or power tools.

    14. Re:159357 popular with lefties? by mosschops · · Score: 2, Informative

      IE has problems if you add a port number to the address, so google.com:80 doesn't work, but is fine after you add the protocol. That's the only situation I remember that fails.

    15. Re:159357 popular with lefties? by innocent_white_lamb · · Score: 2, Interesting

      It may depend on how and when you learned to type numbers. I learned to type in school (typing class) on big Underwood manual typewriters, but never really got good at typing the numbers there. But when I got my Commodore 64 and started typing in programs out of Compute! magazine using their mlx program, which involved typing in pages and pages of nothing but numbers, I quickly learned to type numbers just as well as I can type letters. Always using the top row numbers, of course, because the Commodore 64 has no numeric keypad.

      To this day, I never use the numeric keypad on any keyboard. In fact, when it's not there (like on a laptop) I don't miss it a bit.

      --
      If you're a zombie and you know it, bite your friend!
    16. Re:159357 popular with lefties? by renoX · · Score: 2, Insightful

      >>I'm fairly well convinced that most people don't realize you can actually put the mouse on the left.

      As a semy-lefty, I disagree for me the reason why leftie don't use the mouse with their left-hand is that it's easy enough with their right hand so they don't change it.
      It takes a lot of time and effort to learn to write, not so much using a mouse..

    17. Re:159357 popular with lefties? by Scaba · · Score: 3, Funny

      You just aren't experienced at recognizing left-handed porn.

    18. Re:159357 popular with lefties? by ajlisows · · Score: 2, Insightful

      I worked in a desktop support capacity for a company some years back that had a pretty good number of lefties that had the mouse on the left side of the keyboard with the buttons switched around. I think it is one of those things that if one lefty in a corporate environment figures it out, other southpaws take note and ask how it is done.

    19. Re:159357 popular with lefties? by ShieldW0lf · · Score: 3, Insightful

      I'd suggest using sentences, taking the first letter from each word.

      "I was born in Timbuktu in 72 and I don't know what to do!" turns into "IwbiTi72aIdkwtd!"

      16 characters, upper and lower case, numbers and punctuation, and it's practically impossible to forget.

      You can also program yourself this way.

      "I will get up at 8 and not be late for work!" turns into "Iwgua8anblfw!", which is still strong, but also causes you to repeat the phrase to yourself every time you log in, so maybe you won't get canned for showing up at your desk at quarter to 10.

      --
      -1 Uncomfortable Truth
  2. And so... by Anonymous Coward · · Score: 2, Interesting

    someone 'analyzed' another password list for correlations and found nothing of inherit value to security of than 'people are a problem'.

    Chalk yet one up for the Adams team.

  3. passwords by kohaku · · Score: 5, Funny

    What the hell, Slashdot? Stop posting all my passwords!

  4. The horrible problem by Z00L00K · · Score: 4, Insightful

    It's a horrible problem of having leaked passwords, and the only way around it is to avoid logging the cleartext password and do a hash of the password combined with a salt before storing it.

    In that way it's at least not too easy to recreate the password used by various users.

    It's of course standard procedure, but it just makes it evident how incredibly trivial some systems are built.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    1. Re:The horrible problem by qw0ntum · · Score: 4, Interesting

      From my perusal of TFA, I think the passwords were actually hashed in the DB, but the guy who cracked the site broke them: http://hackedphpbb.blogspot.com/

      The response from phpBB.com seemed to indicate that the only passwords that were cracked were from those accounts that had been created in an older system, and had not logged in under the newer system. Given the large number of spam accounts on that site, I wonder if the majority of those cracked, not recently logged in accounts were spam accounts, and as such if the passwords are not representative of the userbase at large: http://area51.phpbb.com/phpBB/viewtopic.php?f=3&t=29973

      --
      'Every story, if continued long enough, ends in death.' --Ernest Hemingway
    2. Re:The horrible problem by slackergod · · Score: 4, Interesting

      I agree... it just plain scares me that so many large systems don't even bother with such trivial precautions as hashing. It's even more trivial than sql injections. Up until it happened, I would have _never_ guessed myspace & phpbb stored plaintext. It seems borderline incompetent.

      I've implemented tons of little one-off account systems, for websites small enough they'll probably never even see a hacker. But before I even implemented the first one, I went through the trouble of finding the best password hash algorithm I could (http://people.redhat.com/drepper/SHA-crypt.txt)

      Sure, I've had customers ask "why can't it just email me my password when I forget?" But you know what? Just a few minutes of quick explanation, and even people with NO math or cs background can understand why it's important.

      So for the love of the gods, people, please take an hour out of your time to put in a hash alg (even md5-crypt is better than nothing)... it's just not that hard.

      ---

      Just to go off on a rant here...
      I've also noticed in some web applications there is the tendency to just pick a hash alg at random. Be warned: not all hash algorithms are created equal.

      "Checksum" algorithms such as CRC32 are woefully insufficient: easy to reverse (for small strings), easy to find collisions. They're basically just one guessable step away from plaintext.

      "Integrity" algorithms such as MD5 & SHA are a little better, since they're very hard to reverse, and difficult to find collisions.
      The problem with using these types of hashes directly is that they will always hash a password to the _same_ string. While that's desirable for their purposes (file integrity, etc), that's not good at all for passwords: you can pre-build a table of known mappings beforehand, and use it to quickly guess many passwords in parallel (aka a rainbow table): Given a table of 10k user passwords hashed like this, and a pre-built table, the odds are very good you'll get a significant number of the passwords in a very short amount of time.

      This is why a proper "Password" hash (eg bcrypt, md5-crypt, sha-crypt) includes a "salt" which is randomly generated each time the password is set (and not just the first time). This prevents the rainbow attacks which are possible on plain integrity hashes. But prepending (or appending) the salt is not enough, because since it's effect can be undone mathematically, at least enough so that it presents no real additional barrier.

      Genuine password hashes, while using an integrity hash their basis, mix & blend the password and the salt in so many variable ways as to make this reversal impossible. And there are so many nuances here that _you should not roll your own_ (unless you're Bruce Schneier). Read bcrypt, sha-crypt or md5-crypt's specs for some details.

      Note: don't use the old unix-crypt, while it is a password hash in the strict sense, it's so old and simple, it's barely stronger than crc32.

      Note: sha-crypt adds additional flexibility via it's "rounds" system, allowing it to easily grow more complicated as computers grow more powerful. This is why I prefer it above all the others.

      End rant: all this is why you should use sha-crypt or md5-crypt, and nothing lesser.

    3. Re:The horrible problem by NeoThermic · · Score: 3, Insightful

      Just to put a huge hole in your rant, the passwords in question *were* md5'ed. They were only in md5 format because they were passwords left unconverted since the hash algo changed in phpBB3. To convert them, it requires the user in question to log in just once post-conversion. The accounts cracked had not done that and were thus very unused accounts.

      NeoThermic

      --
      Use my link above, or to view my server, NeoThermic.com
    4. Re:The horrible problem by filesiteguy · · Score: 2, Informative

      It is a horrible problem. PHPbb, however, does not store in plaintext. Under versions 1x and 2x, they were stored as MD5. Realizing this was still insecure, they changed to a stronger hash algorithm. However, the software that was hacked - the mailing list- still stored many of the passwords under the 2.x formula. Those who had logged in under 3.x had their passwords changed and are not susceptible.

      --
      The Kai's Semi-Updated Website Thingy
    5. Re:The horrible problem by asdfghjklqwertyuiop · · Score: 4, Insightful

      When most of your users are chosing passwords like "password" and "1234" no hashing is going to help. Those are the first things anyone will try when using brute force.

      Hashing would buy competent, caring* users with strong passwords a little bit of time to change their password, assuming the intrusion is discovered and the users are notified quickly enough.

      *: That's another mistake a lot of site designers make: assuming that the users care about the security of the accounts they set up. Many times the users simply want access to some content on a web site and once they have it couldn't care less about their account. It was just a meaningless hoop they had to jump through to get something. If the compromise affects the web site more than its users then its time to stop making people create an account for every little thing so your marketing department can gather personal information.

    6. Re:The horrible problem by sakdoctor · · Score: 5, Informative

      If you're going to rant about encryption then get modded +5, try to be factually correct so you don't mislead people.

      CRC32 is a checksum algorithm.
      Integrity algorithm - This doesn't mean anything!
      MD5 and SHA1 are both hash algorithms.
      MD5 is weak because it's not not collision resistant.
      SHA256 and up are recommended.

      For passwords simply appending the salt is sufficient. Hashes are not reversible. They can't be "undone mathematically".

      There is a related issue called an extension attack, where data can be added without knowing the original hash value. For that you need an HMAC which is the correct way to incorporate ("mix and blend") a secret key with data.

      Avoid adding rounds to weak hashes. Pick a larger hash. A 512bit hash has 1.3 Ã-- 10^154 possible outputs!

      Do not reinvent the hash.
      Do not reinvent the HMAC.
      Learn the proper application of both.

    7. Re:The horrible problem by Anonymous Coward · · Score: 2, Informative

      Did you even read the parent? The passwords were hashed with MD5. No cleartext you nitwit.

      MD5 is weak and the attacker(s) got the passwords by reversing the MD5 hash. Or at least obtained passwords with the same hash (ie. collisions in the MD5 space).

  5. Passwords are the Problem by SolarStorm · · Score: 5, Interesting

    With so many other methods of user verification why do we still continue with passwords? My work uses so many passwords for each application, and forces you to change them montly, and some of them force you to use different passwords, that you can look at any monitor and find a postit note with complete access to the system. When I mentioned this to the SA's. They said they need all of the passwords for security? Why not use thumbprints or cards for verification like the hospital I used to work at? Never typed a single password. Had to take the gloves off once or twice, but never a password.

    1. Re:Passwords are the Problem by Penguin+Follower · · Score: 3, Informative

      I work for the IT staff of a hospital. Fingerprint readers cause us a headeache because the hardware does not work reliably. We recently started shopping for new vendors for finger print readers (trying to find one that works more reliably). Both of the new vendors came in to show us their hardware and couldn't get them to work with at least 90% reliability. We're looking at other forms of authentication now. Problem being, we have to have two forms of identification due to the state board of pharmacy. It was going to be fingerprint readers and passwords... now looks like maybe RSA tokens and passwords instead. We use RSA already and that system doesn't give us many problem at all.

    2. Re:Passwords are the Problem by zippthorne · · Score: 3, Insightful

      Fingerprint readers solve the "username" part of authentication. Not the "password" part.

      --
      Can you be Even More Awesome?!
  6. Re:Left and right reversed? by chillax137 · · Score: 3, Informative

    The idea is that lefties are mousing with their left hands - they have the right hand free to do the typing.

    --
    chillax137
  7. Comment removed by account_deleted · · Score: 2, Funny

    Comment removed based on user account deletion

  8. Re:Left and right reversed? by argent · · Score: 5, Funny

    That's the first time I've heard of one-handed typing being commonplace. I thought it was restricted to certain kinds of websites. :)

  9. Re:Left and right reversed? by Ian+Alexander · · Score: 4, Insightful

    I've never moused with my left hand on anything approaching a regular basis- it's simply too awkward. I was just taught to use my right hand to mouse like everyone else in elementary school so that's what I do.

    --Southpaw

  10. Inaccurate by DarkAnt · · Score: 5, Funny

    Sex and God are not even on the list.

    1. Re:Inaccurate by MRe_nl · · Score: 5, Funny

      from a link/article:(Pearlady said, on January 6th, 2009 at 10:35 am)
      "Just had to mention hearing about the man who wanted to use "Penis" as his password, but the computer threw it out because it wasn't long enough.....

      --
      "Kill 'em all and let Root sort 'em out"
    2. Re:Inaccurate by Zwicky · · Score: 3, Funny

      Problem solved. My password is 'sexgod'

      What? I can dream!

      --
      "Three eyes are better than one" -- Lieutenant Columbo
  11. Are they the problem? by khasim · · Score: 5, Insightful

    someone 'analyzed' another password list for correlations and found nothing of inherit value to security of than 'people are a problem'.

    People are the weakest link in any security program. But does that make them the "problem" or does it mean that we're approaching security from the wrong angle?

    Passwords suck. People are not capable of memorizing enough entropy to provide more than one or two decent passwords.

    So do not focus on "strong" passwords as your only defense against attack.

    One approach is to encourage "weak" passwords (word.number.word) that users can write down ... but then focus on monitoring and login delays so that any attack will be detected before it even has a one in ten million chance of success.

    Thank you for registering at slashdot. Your password is kitten6apple. Please write it down. If you wish to change it, click HERE. There will be a 10 second delay enforced between login attempts and a 10 minute delay after 3 failed login attempts.

    There. As long as they don't store the passwords in the clear (or as hashes without including a random salt) you should be fairly "secure". At least "secure" enough for a "social networking" site.

    For your bank or other financial institution, you'd want a second, non-Internet-based, channel for verification of transactions. Such as an automated call to your phone.

    People are not the "problem". People's limitations SHOULD be part of the design specifications for the security program.

    1. Re:Are they the problem? by cripkd · · Score: 2

      Sorry, but why is writting down password secure? Maybe i don;t get this point. Thing is I never understood why amdins preffer those random generated passwords, like df@w7#5tyyyj
      Those will be writtend down. In notebooks or files on the computer, in unprotected folders. I've seen people emailing themselves some new password. Thats very secure too, when you use some obscure email provider (for various reasons).
      I use sentences as passwords, with or without spaces between words. You can't forget those, human minds are wired to remember patterns, groups of words. And the posibilities are huge, making it very hard to crack unless you use stuff like 'Luke, i'm your father' or 'There is no spoon'.

      --
      Curiously yours, crip.
    2. Re:Are they the problem? by Glendale2x · · Score: 5, Insightful

      The other problem is that every damn thing on the internet now requires a login and password - so much that we start using crap passwords like "asdf" for sites like your phpbb forum login, which happens to be the same as the other 50 forums you have accounts on or ever needed to register for to ask a one-off question.

      --
      this is my sig
    3. Re:Are they the problem? by LihTox · · Score: 3, Insightful

      I did think of that, but I still say passwords need to be treated like credit card numbers, and that includes allowing for the possibility that they are stolen. If it's possible that, just by knowing your password, a crook can liquidate your assets with no recourse for you, then a password is inadequate security no matter how often you have them changed or how complicated they are. Or alternatively, people need to be insured against that sort of thing happening.

    4. Re:Are they the problem? by Cthefuture · · Score: 3, Informative

      Exactly.

      OpenID is suppose to help with that. It seems to be slowly gaining support but is still not nearly pervasive enough. It has the advantage of supporting much stronger multi-factor based authentication if you want it (smartcards, etc) and its decentralized nature means you're not putting all your eggs in one basket like most other single sign on solutions.

      --
      The ratio of people to cake is too big
  12. Colemak/Dvorak patterns? by ethana2 · · Score: 2, Interesting

    How many key patterns are used by people who type with dvorak or colemak? I've always liked the extra security that comes with using an obscure (albeit superior) keyboard layout ;)

  13. Re:Left and right reversed? by cslax · · Score: 5, Funny

    I use the mouse with either hand, if the hand gets tired I switch hands.

    Can be misinterpreted in so many ways.

  14. Group passwords and write 'em down by chill · · Score: 3, Interesting

    I group passwords two ways.

    1. Sites that have no personal info or I don't really give a damn about. Those share 2 or 3 different passwords depending on their lame (no special characters!) requirements. Pick two words, use 7334 spelling and separate them by a punctuation mark. For example "mad money" becomes "M@d;m0n3y". Good luck guessing stuff like that.

    2. Sites that I care about, like online banking or ones that contain personal information (LinkedIn, for example), have random line noise for passwords and I just write them down. There is a notebook in my desk with all the passwords. The desk is locked and in my home office. That is far more secure than trying to make them easy enough to memorize.

    3. If you use Firefox, make sure you use a Master Password if you allow it to remember passwords.

    Someone posted this earlier and it is a useful BASH script.

    dd if=/dev/random bs=200 count=1 | tr -cd 'A-Za-z0-9!@#$%^&*()_+'; echo

    Copy a group of 10-15 out of the middle of that and use it for a password.

    --
    Learning HOW to think is more important than learning WHAT to think.
    1. Re:Group passwords and write 'em down by CoolQ · · Score: 2, Interesting

      Much simpler:

      openssl rand -base64 32 | head -c 10

      Where "10" is the number of characters you want.

      --Quentin

  15. even on /. I'm a weirdo! by Scrameustache · · Score: 2, Funny

    I'm a leftie, and my mouse is on the right, like.. well.. all the other lefties I know. Actually, I have never seen someone use a mouse of the left, though I'm sure that weirdo exists.

    I have mice on both sides.
    I'm almost ambidextrous so this way I can reach for a mouse with whichever hand isn't currently holding my coffee.

    I do get a lot of "oh, you're left handed?" from people who see me reach for things with my left hand though. I never understood why people limit themselves to 50% of their usable hands.

    --

    You can't take the sky from me...

  16. Re:Left and right reversed? by swilly · · Score: 3, Funny

    Are you suggesting that those sites aren't commonplace?

  17. Comment removed by account_deleted · · Score: 2, Interesting

    Comment removed based on user account deletion

  18. Who needs this? by Javagator · · Score: 4, Funny

    Who needs a list of the 500 worst passwords. What we need is a list of the 500 best passwords.

  19. I keep my password simple.... by Anonymous Coward · · Score: 3, Funny

    I keep it the same as my cat's name, so it's easy to remember. My cat's name is HZpn8BINlP5Lows2Y@z2I%L!Cvlga&GE128 but I change it every month.

  20. No Geek Card For You!!! by supernova_hq · · Score: 2, Funny

    Dude, you actually had to google 159357 to realize it was a num-pad thing? Time to hand in his geek card Robert!!!