Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords From PHPBB Attack Analyzed

Posted by Soulskill on from the convenience-trumps-security dept.

Robert David Graham writes "The hacker who broke into phpbb.com posted the passwords online. I was sent the password list, so I ran it through my analysis tools and posted the results. Nothing terribly surprising here; 123456 and password are the most popular passwords as you would expect. I tried to be a bit more creative in my analysis, though, to get into the psychology of why people choose the passwords they do. '14% of passwords were patterns on the keyboard, like "1234" or "qwerty" or "asdf." There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e." I spent a while googling "159357" trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among right-hand people, "159357" will be popular among lefties.'"

12 of 299 comments (clear)

  1. 159357 popular with lefties? by LordKaT · · Score: 5, Funny

    The numeric keypad is on the right ... how exactly does this work out?

    1. Re:159357 popular with lefties? by Anonymous Coward · · Score: 5, Informative

      As in : left hand on the mouse, right hand free to type something ?

    2. Re:159357 popular with lefties? by auric_dude · · Score: 5, Funny

      Nothing too sinister about being left handed.

  2. passwords by kohaku · · Score: 5, Funny

    What the hell, Slashdot? Stop posting all my passwords!

  3. Passwords are the Problem by SolarStorm · · Score: 5, Interesting

    With so many other methods of user verification why do we still continue with passwords? My work uses so many passwords for each application, and forces you to change them montly, and some of them force you to use different passwords, that you can look at any monitor and find a postit note with complete access to the system. When I mentioned this to the SA's. They said they need all of the passwords for security? Why not use thumbprints or cards for verification like the hospital I used to work at? Never typed a single password. Had to take the gloves off once or twice, but never a password.

  4. Re:Left and right reversed? by argent · · Score: 5, Funny

    That's the first time I've heard of one-handed typing being commonplace. I thought it was restricted to certain kinds of websites. :)

  5. Inaccurate by DarkAnt · · Score: 5, Funny

    Sex and God are not even on the list.

    1. Re:Inaccurate by MRe_nl · · Score: 5, Funny

      from a link/article:(Pearlady said, on January 6th, 2009 at 10:35 am)
      "Just had to mention hearing about the man who wanted to use "Penis" as his password, but the computer threw it out because it wasn't long enough.....

      --
      "Kill 'em all and let Root sort 'em out"
  6. Are they the problem? by khasim · · Score: 5, Insightful

    someone 'analyzed' another password list for correlations and found nothing of inherit value to security of than 'people are a problem'.

    People are the weakest link in any security program. But does that make them the "problem" or does it mean that we're approaching security from the wrong angle?

    Passwords suck. People are not capable of memorizing enough entropy to provide more than one or two decent passwords.

    So do not focus on "strong" passwords as your only defense against attack.

    One approach is to encourage "weak" passwords (word.number.word) that users can write down ... but then focus on monitoring and login delays so that any attack will be detected before it even has a one in ten million chance of success.

    Thank you for registering at slashdot. Your password is kitten6apple. Please write it down. If you wish to change it, click HERE. There will be a 10 second delay enforced between login attempts and a 10 minute delay after 3 failed login attempts.

    There. As long as they don't store the passwords in the clear (or as hashes without including a random salt) you should be fairly "secure". At least "secure" enough for a "social networking" site.

    For your bank or other financial institution, you'd want a second, non-Internet-based, channel for verification of transactions. Such as an automated call to your phone.

    People are not the "problem". People's limitations SHOULD be part of the design specifications for the security program.

    1. Re:Are they the problem? by Glendale2x · · Score: 5, Insightful

      The other problem is that every damn thing on the internet now requires a login and password - so much that we start using crap passwords like "asdf" for sites like your phpbb forum login, which happens to be the same as the other 50 forums you have accounts on or ever needed to register for to ask a one-off question.

      --
      this is my sig
  7. Re:Left and right reversed? by cslax · · Score: 5, Funny

    I use the mouse with either hand, if the hand gets tired I switch hands.

    Can be misinterpreted in so many ways.

  8. Re:The horrible problem by sakdoctor · · Score: 5, Informative

    If you're going to rant about encryption then get modded +5, try to be factually correct so you don't mislead people.

    CRC32 is a checksum algorithm.
    Integrity algorithm - This doesn't mean anything!
    MD5 and SHA1 are both hash algorithms.
    MD5 is weak because it's not not collision resistant.
    SHA256 and up are recommended.

    For passwords simply appending the salt is sufficient. Hashes are not reversible. They can't be "undone mathematically".

    There is a related issue called an extension attack, where data can be added without knowing the original hash value. For that you need an HMAC which is the correct way to incorporate ("mix and blend") a secret key with data.

    Avoid adding rounds to weak hashes. Pick a larger hash. A 512bit hash has 1.3 Ã-- 10^154 possible outputs!

    Do not reinvent the hash.
    Do not reinvent the HMAC.
    Learn the proper application of both.