fwd : phpbb.com hacked...

2 views

Skip to first unread message

Bipin Gautam

unread,

Feb 7, 2009, 8:35:16 AM2/7/09

to NepSecure, Intelligence-Studies, sysops-list, foss-...@googlegroups.com

---[BRIEF]---
view: http://www.darkreading.com/blog/archives/2009/02/phpbb_password.html

Recently, a popular website "phpbb.com" was hacked. The hacker
published approximately 20,000 user passwords from the site. This is
like candy to us security professionals, because it's hard data we can
use to figure out how users choose passwords. I wrote a program to
analyze these passwords looking for patterns, and came up with some
interesting results.

This incident is similar to one two years ago when MySpace was hacked,
revealing about 30,000 passwords. Both Wired and InfoWorld published
articles analyzing the passwords.

The striking different between the two incidents is that the phpbb
passwords are simpler.

35% of passwords are 6-characters. Here is the top 20 list:

Here is the top 20 passwords from the phpbb dataset:
3.03% "123456"
2.13% "password"
1.45% "phpbb"
0.91% "qwerty"
0.82% "12345"
0.59% "12345678"
0.58% "letmein"
0.53% "1234"
0.50% "test"
0.43% "123"
0.36% "trustno1"
0.33% "dragon"
0.31% "abc123"
0.31% "123456789"
0.31% "111111"
0.30% "hello"
0.30% "monkey"
0.28% "master"
0.22% "killer"
0.22% "123123"

Why are "dragon", "master", and "killer" so popular? Since the phpbb
dataset includes e-mail addresses, I'm thinking of e-mailing the
people and ask them why they chose that particular password. Likewise,
while I know that "trustno1" was a password used in the X-Files, I
forget where "letmein" and "monkey" come from (I know they were used
in movies/tv, I just forget which ones).

The password length distribution is as follows:

1 character 0.34%
2 characters 0.54%
3 characters 2.92%
4 characters 12.29%
5 characters 13.29%
6 characters 35.16%
7 characters 14.60%
8 characters 15.50%
9 characters 3.81%
10 characters 1.14%
11 characters 0.22%

# various dictionary files, and come up with a 65% match (for a simple
English dictionary) and 94% (for "hacker" dictionaries). The
dictionary words were overwhelmingly simple things, like "apple" or
"orange", rather than complex words like "pomegranate".

# 16% of passwords matched a person's first name.

# 14% of passwords were patterns on the keyboard

# 4% are variations of the word "password"

# 5% of passwords are pop-culture references

# 4% of passwords appear to reference things nearby.

....and read more from the original url ;)
http://www.darkreading.com/blog/archives/2009/02/phpbb_password.html

--- [ This is NepSecure Mailing list ] ---

Nepali computer security and hacking community
http://groups.google.com/group/NepSecure/about
-------------------------------------------------------

Reply all

Reply to author

Forward

0 new messages