<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="State"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="City"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0mm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0mm;
mso-margin-bottom-alt:auto;
margin-left:0mm;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>When you consider the way these passwords are
usually stored (sometimes on simple MSAcces databases or other databases without
encrypting the password field) by the website designers on some of these
websites. I agree it is very wise not to put serious passwords on such websites
as they do not serve their purpose anyway. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I personally use very weak passwords on
such websites too. Let them hack an e-banking website then rewrite the story. The
statistics will make more sense then.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
kictanet-bounces+jkagwe=kippra.or.ke@lists.kictanet.or.ke
[mailto:kictanet-bounces+jkagwe=kippra.or.ke@lists.kictanet.or.ke] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Odhiambo <st1:State w:st="on"><st1:place
w:st="on">Washington</st1:place></st1:State><br>
<b><span style='font-weight:bold'>Sent:</span></b> Tuesday, February 10, 2009
8:19 AM<br>
<b><span style='font-weight:bold'>To:</span></b> James Kagwe<br>
<b><span style='font-weight:bold'>Cc:</span></b> KICTAnet ICT Policy
Discussions<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [kictanet] Hacked
password list offers security insights</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>On Tue, Feb 10, 2009 at 1:27 AM, Evans Kahuthu <<a
href="mailto:ekahuthu@comtechltd.co.ke">ekahuthu@comtechltd.co.ke</a>>
wrote:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Recently a niche programming-oriented website called <a
href="http://phpbb.com" target="_blank">phpbb.com</a> had its user database
hacked into and the passwords for 20,000 members stolen. The hacker who broke
in then posted the account info and passwords online for the world to see. And
while this is really bad news for those 20,000 unlucky souls, it offers an <a
href="http://www.darkreading.com/blog/archives/2009/02/phpbb_password.html"
target="_blank"><font color="#005699"><span style='color:#005699'>instructive
lesson on password security </span></font></a>for the rest of us. <o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>InformationWeek
analyzed the hacked password list and found a number of interesting trends in
the data, primarily revolving around the fact that most people do exactly what
they've been told <i><span style='font-style:italic'>not</span></i> to do since
passwords were first invented.<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>Author/analyst
Robert Graham has tons of analysis on offer. I'm ordering my favorite/most
enlightening data points from the piece here, starting with the most
interesting. On thing to remember: These passwords are from a group of people
interested in computer programming, so if anyone should know better, it's these
guys.<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>> The
most popular password (3.03% of the 20,000) was "123456." It's also
generally considered <a href="http://www.whatsmypass.com/?p=415" target="_blank"><font
color="#005699"><span style='color:#005699'>the most common password used today</span></font></a>.
<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>> 4
percent used some variant of the word "password." Seriously, people,
there's no excuse for this one. "password" was the 2nd most popular
password used, also in keeping with historical trends.<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>> 16
percent of passwords were a person's first name. No word on if it was <i><span
style='font-style:italic'>their</span></i> first name, but someone's. Joshua is
the most commonly used first-name password, a likely reference to the movie <i><span
style='font-style:italic'>WarGames</span></i>.<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>>
Patterns abound. In addition to "123456," other pattens like
"12345, "qwerty," and "abc123" were common, comprising
14 percent of the passwords used.<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>> 35
percent of passwords were six characters long. 0.34 percent were only one
character long.<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>> For
reasons no one can explain, "dragon," "master," and
"killer" all crack the top 20 passwords. (On the top 500 password
list linked above, "dragon" is #7.) <o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>> One
thing Graham doesn't discuss is that <a href="http://phpbb.com" target="_blank">phpbb.com</a>
is really just a message board, and many users may simply have not cared about
the security of their passwords here (unlike, say, with a bank account). In
other words, they may very well have intentionally chosen something simplistic
here to avoid re-using a password they save for an important login, just in
case this site got hacked. Which, it turns out, it did. <o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>I could
go on, but Graham's post has way more detail than I can digest here and it's
easy-reading too. Worth a close look for any citizen of the web. <o:p></o:p></span></font></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'><br>
Personally, I believe noone really cares about the strength (or lack of) the
passwords they use on community sites. To start with, there is a stage in the
registration process into such sites (or Bulletin Boards if you may call them)
which warns you NOT TO USE any of your sensitive passwords that you use
elsewhere. Given that noone really stores any sensitive material on such sites
it's not uncommon to simply use 123456 (because the registration system insists
on your password having at least six characters) or something like
"letmein".<br>
I don't believe it was "really bad news for the 20,000 unlucky souls"
at all. Rather, the lesson to be learn here, IMHO, is by those souls deploying
systems that are accessible to the hostile Internet to take seriously security
considerations for those systems.<o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>-- <br>
Best regards,<br>
Odhiambo WASHINGTON,<br>
<st1:City w:st="on"><st1:place w:st="on">Nairobi</st1:place></st1:City>,KE<br>
+254733744121/+254722743223<br>
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ <br>
"The only time a woman really succeeds in changing a man is when he is a
baby."<br>
- Natalie Wood<o:p></o:p></span></font></p>
</div>
</body>
</html>