[kictanet] Hacked password list offers security insights

Tue Feb 10 08:18:54 EAT 2009

On Tue, Feb 10, 2009 at 1:27 AM, Evans Kahuthu <ekahuthu at comtechltd.co.ke>wrote:

> Recently a niche programming-oriented website called phpbb.com had its
> user database hacked into and the passwords for 20,000 members stolen. The
> hacker who broke in then posted the account info and passwords online for
> the world to see. And while this is really bad news for those 20,000 unlucky
> souls, it offers an instructive lesson on password security
> <http://www.darkreading.com/blog/archives/2009/02/phpbb_password.html>for
> the rest of us.
>
> InformationWeek analyzed the hacked password list and found a number of
> interesting trends in the data, primarily revolving around the fact that
> most people do exactly what they've been told *not* to do since passwords
> were first invented.
>
> Author/analyst Robert Graham has tons of analysis on offer. I'm ordering my
> favorite/most enlightening data points from the piece here, starting with
> the most interesting. On thing to remember: These passwords are from a group
> of people interested in computer programming, so if anyone should know
> better, it's these guys.
>
> > The most popular password (3.03% of the 20,000) was "123456." It's also
> generally considered the most common password used today<http://www.whatsmypass.com/?p=415>.
>
>
> > 4 percent used some variant of the word "password." Seriously, people,
> there's no excuse for this one. "password" was the 2nd most popular password
> used, also in keeping with historical trends.
>
> > 16 percent of passwords were a person's first name. No word on if it was
> *their* first name, but someone's. Joshua is the most commonly used
> first-name password, a likely reference to the movie *WarGames*.
>
> > Patterns abound. In addition to "123456," other pattens like "12345,
> "qwerty," and "abc123" were common, comprising 14 percent of the passwords
> used.
>
> > 35 percent of passwords were six characters long. 0.34 percent were only
> one character long.
>
> > For reasons no one can explain, "dragon," "master," and "killer" all
> crack the top 20 passwords. (On the top 500 password list linked above,
> "dragon" is #7.)
>
> > One thing Graham doesn't discuss is that phpbb.com is really just a
> message board, and many users may simply have not cared about the security
> of their passwords here (unlike, say, with a bank account). In other words,
> they may very well have intentionally chosen something simplistic here to
> avoid re-using a password they save for an important login, just in case
> this site got hacked. Which, it turns out, it did.
>
> I could go on, but Graham's post has way more detail than I can digest here
> and it's easy-reading too. Worth a close look for any citizen of the web.
>

Personally, I believe noone really cares about the strength (or lack of) the
passwords they use on community sites. To start with, there is a stage in
the registration process into such sites (or Bulletin Boards if you may call
them) which warns you NOT TO USE any of your sensitive passwords that you
use elsewhere. Given that noone really stores any sensitive material on such
sites it's not uncommon to simply use 123456 (because the registration
system insists on your password having at least six characters) or something
like "letmein".
I don't believe it was "really bad news for the 20,000 unlucky souls" at
all. Rather, the lesson to be learn here, IMHO, is by those souls deploying
systems that are accessible to the hostile Internet to take seriously
security considerations for those systems.

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
"The only time a woman really succeeds in changing a man is when he is a
baby."
                             - Natalie Wood
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20090210/13f454c0/attachment.htm>