From bipin.gautam at gmail.com Sat Feb 7 08:35:16 2009 From: bipin.gautam at gmail.com (Bipin Gautam) Date: Sat, 7 Feb 2009 19:20:16 +0545 Subject: [Sysops-list] fwd : phpbb.com hacked... In-Reply-To: <162070.4491.qm@web51010.mail.re2.yahoo.com> References: <162070.4491.qm@web51010.mail.re2.yahoo.com> Message-ID: <754924960902070535v66c4430dwd6ad0d936438b04c@mail.gmail.com> ---[BRIEF]--- view: http://www.darkreading.com/blog/archives/2009/02/phpbb_password.html Recently, a popular website "phpbb.com" was hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals, because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results. This incident is similar to one two years ago when MySpace was hacked, revealing about 30,000 passwords. Both Wired and InfoWorld published articles analyzing the passwords. The striking different between the two incidents is that the phpbb passwords are simpler. 35% of passwords are 6-characters. Here is the top 20 list: Here is the top 20 passwords from the phpbb dataset: 3.03% "123456" 2.13% "password" 1.45% "phpbb" 0.91% "qwerty" 0.82% "12345" 0.59% "12345678" 0.58% "letmein" 0.53% "1234" 0.50% "test" 0.43% "123" 0.36% "trustno1" 0.33% "dragon" 0.31% "abc123" 0.31% "123456789" 0.31% "111111" 0.30% "hello" 0.30% "monkey" 0.28% "master" 0.22% "killer" 0.22% "123123" Why are "dragon", "master", and "killer" so popular? Since the phpbb dataset includes e-mail addresses, I'm thinking of e-mailing the people and ask them why they chose that particular password. Likewise, while I know that "trustno1" was a password used in the X-Files, I forget where "letmein" and "monkey" come from (I know they were used in movies/tv, I just forget which ones). The password length distribution is as follows: 1 character 0.34% 2 characters 0.54% 3 characters 2.92% 4 characters 12.29% 5 characters 13.29% 6 characters 35.16% 7 characters 14.60% 8 characters 15.50% 9 characters 3.81% 10 characters 1.14% 11 characters 0.22% # various dictionary files, and come up with a 65% match (for a simple English dictionary) and 94% (for "hacker" dictionaries). The dictionary words were overwhelmingly simple things, like "apple" or "orange", rather than complex words like "pomegranate". # 16% of passwords matched a person's first name. # 14% of passwords were patterns on the keyboard # 4% are variations of the word "password" # 5% of passwords are pop-culture references # 4% of passwords appear to reference things nearby. ....and read more from the original url ;) http://www.darkreading.com/blog/archives/2009/02/phpbb_password.html --- [ This is NepSecure Mailing list ] --- Nepali computer security and hacking community http://groups.google.com/group/NepSecure/about -------------------------------------------------------