[kictanet] Hacked password list offers security insights

James Kagwe jkagwe at KIPPRA.OR.KE
Wed Feb 11 15:44:07 EAT 2009


When you consider the way these passwords are usually stored (sometimes
on simple MSAcces databases or other databases without encrypting the
password field) by the website designers on some of these websites. I
agree it is very wise not to put serious passwords on such websites as
they do not serve their purpose anyway. 

 

I personally use very weak passwords on such websites too. Let them hack
an e-banking website then rewrite the story. The statistics will make
more sense then.

 

________________________________

From: kictanet-bounces+jkagwe=kippra.or.ke at lists.kictanet.or.ke
[mailto:kictanet-bounces+jkagwe=kippra.or.ke at lists.kictanet.or.ke] On
Behalf Of Odhiambo Washington
Sent: Tuesday, February 10, 2009 8:19 AM
To: James Kagwe
Cc: KICTAnet ICT Policy Discussions
Subject: Re: [kictanet] Hacked password list offers security insights

 

On Tue, Feb 10, 2009 at 1:27 AM, Evans Kahuthu
<ekahuthu at comtechltd.co.ke> wrote:

Recently a niche programming-oriented website called phpbb.com had its
user database hacked into and the passwords for 20,000 members stolen.
The hacker who broke in then posted the account info and passwords
online for the world to see. And while this is really bad news for those
20,000 unlucky souls, it offers an instructive lesson on password
security
<http://www.darkreading.com/blog/archives/2009/02/phpbb_password.html>
for the rest of us. 

InformationWeek analyzed the hacked password list and found a number of
interesting trends in the data, primarily revolving around the fact that
most people do exactly what they've been told not to do since passwords
were first invented.

Author/analyst Robert Graham has tons of analysis on offer. I'm ordering
my favorite/most enlightening data points from the piece here, starting
with the most interesting. On thing to remember: These passwords are
from a group of people interested in computer programming, so if anyone
should know better, it's these guys.

> The most popular password (3.03% of the 20,000) was "123456." It's
also generally considered the most common password used today
<http://www.whatsmypass.com/?p=415> . 

> 4 percent used some variant of the word "password." Seriously, people,
there's no excuse for this one. "password" was the 2nd most popular
password used, also in keeping with historical trends.

> 16 percent of passwords were a person's first name. No word on if it
was their first name, but someone's. Joshua is the most commonly used
first-name password, a likely reference to the movie WarGames.

> Patterns abound. In addition to "123456," other pattens like "12345,
"qwerty," and "abc123" were common, comprising 14 percent of the
passwords used.

> 35 percent of passwords were six characters long. 0.34 percent were
only one character long.

> For reasons no one can explain, "dragon," "master," and "killer" all
crack the top 20 passwords. (On the top 500 password list linked above,
"dragon" is #7.) 

> One thing Graham doesn't discuss is that phpbb.com is really just a
message board, and many users may simply have not cared about the
security of their passwords here (unlike, say, with a bank account). In
other words, they may very well have intentionally chosen something
simplistic here to avoid re-using a password they save for an important
login, just in case this site got hacked. Which, it turns out, it did. 

I could go on, but Graham's post has way more detail than I can digest
here and it's easy-reading too. Worth a close look for any citizen of
the web. 


Personally, I believe noone really cares about the strength (or lack of)
the passwords they use on community sites. To start with, there is a
stage in the registration process into such sites (or Bulletin Boards if
you may call them) which warns you NOT TO USE any of your sensitive
passwords that you use elsewhere. Given that noone really stores any
sensitive material on such sites it's not uncommon to simply use 123456
(because the registration system insists on your password having at
least six characters) or something like "letmein".
I don't believe it was "really bad news for the 20,000 unlucky souls" at
all. Rather, the lesson to be learn here, IMHO, is by those souls
deploying systems that are accessible to the hostile Internet to take
seriously security considerations for those systems.

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
"The only time a woman really succeeds in changing a man is when he is a
baby."
                             - Natalie Wood

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20090211/40b935c8/attachment.htm>


More information about the KICTANet mailing list