Passwords From PHPBB Attack Analyzed

Robert David Graham writes "The hacker who broke into phpbb.com posted the passwords online. I was sent the password list, so I ran it through my analysis tools and posted the results. Nothing terribly surprising here; 123456 and password are the most popular passwords as you would expect. I tried to be a bit more creative in my analysis, though, to get into the psychology of why people choose the passwords they do. '14% of passwords were patterns on the keyboard, like "1234" or "qwerty" or "asdf." There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e." I spent a while googling "159357" trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among right-hand people, "159357" will be popular among lefties.'"

159357 popular with lefties?

[LordKaT]

The numeric keypad is on the right ... how exactly does this work out?

Re:

[Z00L00K]

Works fine with right-hand people too.

I would recommend anyone that can to use accented characters - which will introduce a factor that makes it harder to crack using dictionaries.

"Pásswòrð" maybe?

Re:159357 popular with lefties?

[Carewolf]

Unfortunately it can also make it impossible to login if you are trying to login remotely from a foreign computer, for instance to check mail while traveling.

Re:

[anss123]

Unfortunately it can also make it impossible to login if you are trying to login remotely from a foreign computer, for instance to check mail while traveling.

I once set my login password on a Unix account from Windows NT, I was then utterly unable to log on from Linux. At the time I was clueless about keyboard differences so it took some excessive head scratching to figure out.

Re:

[Antique Geekmeister]

Ahh. NumLock keys and kvm's, both local and remote, can create similar problems. Some kvm and system booting system combinations activate the numlock setting without actually setting the light on the keyboard display. This is why it's so useful to have a bit of text space _somewhere_ on the screen that displays what you're actually typing, so you can check how your password is actually popping up, as long as you keep people from looking over your shoulder.

Re:

[AlXtreme]

Unfortunately it can also make it impossible to login if you are trying to login remotely from a foreign computer, for instance to check mail while traveling.

I had this same problem when I was in France. The solution? Search for 'qwerty' on google images :)

Re:

[Hurricane78]

But for that, you first have to *find* the letters "qwerty", and maybe even "http://google.com" (because IE does not automatically add the http) first.

Good luck, finding them on MY keyboard: http://www.neo-layout.org/ [neo-layout.org]
Hint 1: The letters printed on my keys have no relation to the actual layout.
Hint 2: "Ebene" means "level". So: Yes, that thing has 6 levels. (7 actually)

Re:

[bhtooefr]

Every version of IE I can think of does add the HTTP.

Maybe you're thinking of NCSA Mosaic? That's the last browser I can think of that required you to type HTTP. And even then, only the very early versions.

Re:

[da5idnetlimit.com]

???

I call bullshit...

French keyboards do have accented characters, but you have to ctl-alt most of them to get them.

azerty to qwerty keyboards is only about substituting 4 or 5 of the main characters. ridiculously easy.

It starts being much more interesting when your password contains |, @ or &, a french keyboard and a remote system configured at logon for us keyboard...

Re:

[Wonko the Sane]

Oh dear god!! Don't do that search without safesearch on..

How exactly does someone get that image on the first page of the results?

Oh well. Here's the antidote [google.com].

Re:

[mrbooze]

Wasn't it HP-UX years ago where the "@" symbol was some sort of delete key? I remember once it taking me a while to sort out why an employee kept complaining that his password wasn't working only on certain systems.

Re:159357 popular with lefties?

[ShieldW0lf]

I'd suggest using sentences, taking the first letter from each word.

"I was born in Timbuktu in 72 and I don't know what to do!" turns into "IwbiTi72aIdkwtd!"

16 characters, upper and lower case, numbers and punctuation, and it's practically impossible to forget.

You can also program yourself this way.

"I will get up at 8 and not be late for work!" turns into "Iwgua8anblfw!", which is still strong, but also causes you to repeat the phrase to yourself every time you log in, so maybe you won't get canned for showing up at your desk at quarter to 10.

Re:159357 popular with lefties?

[Anonymous Coward]

As in : left hand on the mouse, right hand free to type something ?

Re:159357 popular with lefties?

[RedK]

I'm a leftie, and my mouse is on the right, like.. well.. all the other lefties I know. Actually, I have never seen someone use a mouse of the left, though I'm sure that weirdo exists.

Re:

[freedomlinux]

Another leftie here...
I never use the mouse on the left and switching the button layout seems like an awkward hassle.

Maybe I'm not used to it because I tend to use public computers where admins would disapprove of re-arranging.
I'm just so used to the regular right-handed mouse and don't know any lefties for aren't.

Re:

[Mista2]

For me mouse on the left but I don't swap the buttons. QWERTY keyboards are inherently biased favouring lefties when using a mouse on the left as the page up/down and arrow keys all fall to the unoccupied hand.
At home I also use an apple mighty mouse and this is great left handed. Left click with all fingers on the front of the mouse, rightclick with careful press of left index finger only.

Re:159357 popular with lefties?

[Scaba]

You just aren't experienced at recognizing left-handed porn.

Re:159357 popular with lefties?

[Majik Sheff]

I don't have a right hand you insensitive clod!

Re:

[nedlohs]

Would be a strange thing to do. I know righties who use their mouse with their left hand, but there's some benefits to that that lefties get "for free" using the more standard setup.

Re:

[basscomm]

I'm a leftie, and my mouse is on the right, like.. well.. all the other lefties I know. Actually, I have never seen someone use a mouse of the left, though I'm sure that weirdo exists.

I've done tech support for several hundred Average Joe computer users, and out of those, I've seen the mouse on the left-hand side of the keyboard twice, and only one of those times did the person actually switch the buttons around.

I'm fairly well convinced that most people don't realize you can actually put the mouse on the left.

Re:

[ozbon]

I'm left-handed, and do use the mouse on the left side of the keyboard. Mind you, I haven't swapped the buttons over - that's just weird...

For me, I find that it's a lot easier to have the mouse on the left hand side. But I'm used to moving to other people's computers (and, being a contractor, changing jobs regularly as well) so I don't fark up the buttons as well.

Re:

[renoX]

>>I'm fairly well convinced that most people don't realize you can actually put the mouse on the left.

As a semy-lefty, I disagree for me the reason why leftie don't use the mouse with their left-hand is that it's easy enough with their right hand so they don't change it.
It takes a lot of time and effort to learn to write, not so much using a mouse..

Re:

[eggy78]

This is getting a little off-topic, but I used to work with a guy that had a mouse on the left and right side of his keyboard (connected to the same computer). I don't know if he was left- or right-handed, but it was definitely a little odd. He claimed it dramatically increased his productivity and was a pretty amazing setup. I don't believe him.

Re:159357 popular with lefties?

[vorpal22]

I'm right handed, and I trained myself to use my mouse with my left hand. The reason? Because I was starting to develop wrist problems back when I was in IT and had to spend eight hours a day on the computer. Using the mouse with your right hand entails having to move over a much larger area of keyboard to get to it (numerical keypad, arrow keys, etc). With the left hand, you only have to travel a small distance. Also, being mouse-ambidextrous allows you to switch back and forth, thus taking the entire burden off of one hand.

In the end, I decided to go with a trackball, which is built for the right hand (MS optical one) but which I use with my left hand. Furthermore, it's great because since it's a trackball and on the wrong side of the keyboard, it keeps people away from my computer, which is just fine with me :-).

Re:

[bhtooefr]

I just try to use keyboards with TrackPoints built in. That way, your hands don't even really have to move off the home row to use the mouse.

Unfortunately, the keyboards I tend to prefer (104-key boards with Cherry MX blue switches, mainly) don't have TrackPoints, and I find most buckling spring boards to be too heavy key force. (Still great to type on, just not QUITE my cup of tea any more.)

even on /. I'm a weirdo!

[Scrameustache]

I'm a leftie, and my mouse is on the right, like.. well.. all the other lefties I know. Actually, I have never seen someone use a mouse of the left, though I'm sure that weirdo exists.

I have mice on both sides.
I'm almost ambidextrous so this way I can reach for a mouse with whichever hand isn't currently holding my coffee.

I do get a lot of "oh, you're left handed?" from people who see me reach for things with my left hand though. I never understood why people limit themselves to 50% of their usable hands.

Re:

[Timothy Brownawell]

I'm a leftie, and my mouse is on the right, like.. well.. all the other lefties I know. Actually, I have never seen someone use a mouse of the left, though I'm sure that weirdo exists.

I'm left-handed and have my mouse on the left (with the "normal" right-handed button setup). Before I had my own computer I used the mouse on the right -- partly so I didn't have to keep switching it, partly because the desk the computer was on made it inconvenient to put on the left, and mostly because it was a right-hand-only "ergonomic" mouse.

Re:

[Ritchie70]

I'm ambimoustrous at work.

On the computer on the left side of my desk, the mouse is on the left.

On the computer on the right side of my desk, the mouse is on the right.

I don't remap the mouse buttons though - that's just weird.

Plus I'd be totally confused if I got used to that and then had to use somebody else's mouse (which is fairly common in my job.)

Re:

[Valdrax]

Never would've thought of that. As a left-handed person, I still use the mouse with my right hand because that's where everyone else puts it. Also, I'd have to remap the left/right buttons to be able to use my index finger for the majority of clicking.

(Coincidentally, I did use that as my phone password for a while after some Cisco phones at my job barred my traditional "12345" (idiots, luggage) VM password. I've never even really understood a need to secure my VM in the first place, but I digress.)

Re:

[Luthair]

I had that happen once, so instead of going horizontally across the numpad I changed to vertical ;) 147258 ftw

Re:159357 popular with lefties?

[auric_dude]

Nothing too sinister about being left handed.

Re:

[jeroen94704]

Being a lefty myself, I seriously doubt if lefty's are more likely to use the mouse left-handed than righty's.

I've never come across someone who uses the mouse left-handed because they are left-handed, and actually know several right-handed people who use the mouse left-handed.

Re:

[MRe_nl]

left hand on the mouse/ mouselook/ shoot/ reload/ next.previous weapon/ zoom,
right hand forward/ back/ strafe/ jump/ crouch (in my case).

Re:

[Aranykai]

Because they place their left hand on the mouse, leaving the right hand on the right side of the keyboard. Its only natural to use the number pad instead of moving their mouse hand.

Re:

[tgzuke]

I disagree. I'm left-handed, and my mouse is on the left side. My work (like most others, I'm guessing) has ambidextrous mice, and I use a Razer mouse at home. I just suffer when I find an ergonomic one in the wild, but that's no different than encountering any right-handed device, like can openers or power tools.

Re:

[mikael]

Perhaps it is a difference between laptops and desktop keyboards. On a commodity laptop there is no numeric keypad, though there is the numlock key on some which allows the UIOJKL keys to be used as numeric keys.

The quickest way of typing numbers is to use the the top row of keys. In that case, sequences like '1234', 'qwe123', q1w2e3' would be the most convenient. If you have a full sized desktop keyboard, then the availability of the keypad would allow the sequence 159357 to be typed in rapidly.

Re:

[tomz16]

The numeric keypad is on the right ... how exactly does this work out?

Don't know why you were modded insightful. Subby is correct!

Imagine a keyboard... now imagine a mouse...

Now imagine a right handed user using both and typing 1234.

Now imagine a left handed user using both and typing 159357.

Comprende?

And so...

[Anonymous Coward]

someone 'analyzed' another password list for correlations and found nothing of inherit value to security of than 'people are a problem'.

Chalk yet one up for the Adams team.

Are they the problem?

[khasim]

someone 'analyzed' another password list for correlations and found nothing of inherit value to security of than 'people are a problem'.

People are the weakest link in any security program. But does that make them the "problem" or does it mean that we're approaching security from the wrong angle?

Passwords suck. People are not capable of memorizing enough entropy to provide more than one or two decent passwords.

So do not focus on "strong" passwords as your only defense against attack.

One approach is to encourage "weak" passwords (word.number.word) that users can write down ... but then focus on monitoring and login delays so that any attack will be detected before it even has a one in ten million chance of success.

Thank you for registering at slashdot. Your password is kitten6apple. Please write it down. If you wish to change it, click HERE. There will be a 10 second delay enforced between login attempts and a 10 minute delay after 3 failed login attempts.

There. As long as they don't store the passwords in the clear (or as hashes without including a random salt) you should be fairly "secure". At least "secure" enough for a "social networking" site.

For your bank or other financial institution, you'd want a second, non-Internet-based, channel for verification of transactions. Such as an automated call to your phone.

People are not the "problem". People's limitations SHOULD be part of the design specifications for the security program.

Re:

[LihTox]

I think it is reasonable to ask people to write passwords down, so long as they treat them on the same level as their credit card number-- e.g. keep them in a wallet. After all, we carry our credit card numbers around with us all the time, in written form, right there on the card. When we have to charge something online, we pull out the card and type in the 16-digit number: few people have their number memorized I imagine. Passwords can work the same way. There's a risk of theft, of course, but the conse

Re:

[corychristison]

Or better yet, use your credit card number /as/ your password.

Re:

[uncqual]

Your credit card being stolen is pretty easy to deal with and fairly low cost (mostly just a bit of phone calling and paperwork) - esp. if you notice it and contact the CC company before the card's been used. It just gets canceled. Even if it gets used before you can contact the CC company, your liability is very limited by Federal law (it's $50 or something like that) if you notify the company as soon as you can after discovering the loss.

On the other hand, if your userid/password to your brokerage accou

Re:Are they the problem?

[LihTox]

I did think of that, but I still say passwords need to be treated like credit card numbers, and that includes allowing for the possibility that they are stolen. If it's possible that, just by knowing your password, a crook can liquidate your assets with no recourse for you, then a password is inadequate security no matter how often you have them changed or how complicated they are. Or alternatively, people need to be insured against that sort of thing happening.

Re:

[cripkd]

Sorry, but why is writting down password secure? Maybe i don;t get this point. Thing is I never understood why amdins preffer those random generated passwords, like df@w7#5tyyyj
Those will be writtend down. In notebooks or files on the computer, in unprotected folders. I've seen people emailing themselves some new password. Thats very secure too, when you use some obscure email provider (for various reasons).
I use sentences as passwords, with or without spaces between words. You can't forget those, human m

Re:Are they the problem?

[Glendale2x]

The other problem is that every damn thing on the internet now requires a login and password - so much that we start using crap passwords like "asdf" for sites like your phpbb forum login, which happens to be the same as the other 50 forums you have accounts on or ever needed to register for to ask a one-off question.

Re:Are they the problem?

[Cthefuture]

Exactly.

OpenID [openid.net] is suppose to help with that. It seems to be slowly gaining support but is still not nearly pervasive enough. It has the advantage of supporting much stronger multi-factor based authentication if you want it (smartcards, etc) and its decentralized nature means you're not putting all your eggs in one basket like most other single sign on solutions.

Re:

[account_deleted]

Comment removed based on user account deletion

passwords

[kohaku]

What the hell, Slashdot? Stop posting all my passwords!

The horrible problem

[Z00L00K]

It's a horrible problem of having leaked passwords, and the only way around it is to avoid logging the cleartext password and do a hash of the password combined with a salt before storing it.

In that way it's at least not too easy to recreate the password used by various users.

It's of course standard procedure, but it just makes it evident how incredibly trivial some systems are built.

Re:The horrible problem

[qw0ntum]

From my perusal of TFA, I think the passwords were actually hashed in the DB, but the guy who cracked the site broke them: http://hackedphpbb.blogspot.com/ [blogspot.com]

The response from phpBB.com seemed to indicate that the only passwords that were cracked were from those accounts that had been created in an older system, and had not logged in under the newer system. Given the large number of spam accounts on that site, I wonder if the majority of those cracked, not recently logged in accounts were spam accounts, and as such if the passwords are not representative of the userbase at large: http://area51.phpbb.com/phpBB/viewtopic.php?f=3&t=29973 [phpbb.com]

Re:The horrible problem

[slackergod]

I agree... it just plain scares me that so many large systems don't even bother with such trivial precautions as hashing. It's even more trivial than sql injections. Up until it happened, I would have _never_ guessed myspace & phpbb stored plaintext. It seems borderline incompetent.

I've implemented tons of little one-off account systems, for websites small enough they'll probably never even see a hacker. But before I even implemented the first one, I went through the trouble of finding the best password hash algorithm I could (http://people.redhat.com/drepper/SHA-crypt.txt)

Sure, I've had customers ask "why can't it just email me my password when I forget?" But you know what? Just a few minutes of quick explanation, and even people with NO math or cs background can understand why it's important.

So for the love of the gods, people, please take an hour out of your time to put in a hash alg (even md5-crypt is better than nothing)... it's just not that hard.

---

Just to go off on a rant here...
I've also noticed in some web applications there is the tendency to just pick a hash alg at random. Be warned: not all hash algorithms are created equal.

"Checksum" algorithms such as CRC32 are woefully insufficient: easy to reverse (for small strings), easy to find collisions. They're basically just one guessable step away from plaintext.

"Integrity" algorithms such as MD5 & SHA are a little better, since they're very hard to reverse, and difficult to find collisions.
The problem with using these types of hashes directly is that they will always hash a password to the _same_ string. While that's desirable for their purposes (file integrity, etc), that's not good at all for passwords: you can pre-build a table of known mappings beforehand, and use it to quickly guess many passwords in parallel (aka a rainbow table): Given a table of 10k user passwords hashed like this, and a pre-built table, the odds are very good you'll get a significant number of the passwords in a very short amount of time.

This is why a proper "Password" hash (eg bcrypt, md5-crypt, sha-crypt) includes a "salt" which is randomly generated each time the password is set (and not just the first time). This prevents the rainbow attacks which are possible on plain integrity hashes. But prepending (or appending) the salt is not enough, because since it's effect can be undone mathematically, at least enough so that it presents no real additional barrier.

Genuine password hashes, while using an integrity hash their basis, mix & blend the password and the salt in so many variable ways as to make this reversal impossible. And there are so many nuances here that _you should not roll your own_ (unless you're Bruce Schneier). Read bcrypt, sha-crypt or md5-crypt's specs for some details.

Note: don't use the old unix-crypt, while it is a password hash in the strict sense, it's so old and simple, it's barely stronger than crc32.

Note: sha-crypt adds additional flexibility via it's "rounds" system, allowing it to easily grow more complicated as computers grow more powerful. This is why I prefer it above all the others.

End rant: all this is why you should use sha-crypt or md5-crypt, and nothing lesser.

Re:The horrible problem

[NeoThermic]

Just to put a huge hole in your rant, the passwords in question *were* md5'ed. They were only in md5 format because they were passwords left unconverted since the hash algo changed in phpBB3. To convert them, it requires the user in question to log in just once post-conversion. The accounts cracked had not done that and were thus very unused accounts.

NeoThermic

Re:

[John Hasler]

You're right, but hashing makes "password recovery" impossible. Which do you think most users consider most important: security, or the ability to recover their forgotten passwords by an obvious fact about themselves?

Re:

[John Hasler]

Of course, you can let them create a new password when they tell you their favorite color and what kind of pet they own.

Re:

[Frosty Piss]

You're right, but hashing makes "password recovery" impossible.

phpBB passwords are stored as an MD5 hash. Original passwords are not recovered, a reset URL is sent to the email of record after giving the reset function your UID and email (it will not work without both).

Re:

[Glendale2x]

Make a password recovery system that assigns a new random generated password when a user "recovers" the password. Problem solved.

Re:

[Red Alastor]

I agree... it just plain scares me that so many large systems don't even bother with such trivial precautions as hashing. It's even more trivial than sql injections. Up until it happened, I would have _never_ guessed myspace & phpbb stored plaintext. It seems borderline incompetent.

MySpace is actually innocent here. The password were found in a phishing attack, people thought they were login to MySpace. The real database was not compromised.

Re:The horrible problem

[asdfghjklqwertyuiop]

When most of your users are chosing passwords like "password" and "1234" no hashing is going to help. Those are the first things anyone will try when using brute force.

Hashing would buy competent, caring* users with strong passwords a little bit of time to change their password, assuming the intrusion is discovered and the users are notified quickly enough.

*: That's another mistake a lot of site designers make: assuming that the users care about the security of the accounts they set up. Many times the users simply want access to some content on a web site and once they have it couldn't care less about their account. It was just a meaningless hoop they had to jump through to get something. If the compromise affects the web site more than its users then its time to stop making people create an account for every little thing so your marketing department can gather personal information.

Re:The horrible problem

[sakdoctor]

If you're going to rant about encryption then get modded +5, try to be factually correct so you don't mislead people.

CRC32 is a checksum algorithm.
Integrity algorithm - This doesn't mean anything!
MD5 and SHA1 are both hash algorithms.
MD5 is weak because it's not not collision resistant.
SHA256 and up are recommended.

For passwords simply appending the salt is sufficient. Hashes are not reversible. They can't be "undone mathematically".

There is a related issue called an extension attack, where data can be added without knowing the original hash value. For that you need an HMAC which is the correct way to incorporate ("mix and blend") a secret key with data.

Avoid adding rounds to weak hashes. Pick a larger hash. A 512bit hash has 1.3 Ã-- 10^154 possible outputs!

Do not reinvent the hash.
Do not reinvent the HMAC.
Learn the proper application of both.

Re:

[filesiteguy]

It is a horrible problem. PHPbb, however, does not store in plaintext. Under versions 1x and 2x, they were stored as MD5. Realizing this was still insecure, they changed to a stronger hash algorithm. However, the software that was hacked - the mailing list- still stored many of the passwords under the 2.x formula. Those who had logged in under 3.x had their passwords changed and are not susceptible.

Passwords are the Problem

[SolarStorm]

With so many other methods of user verification why do we still continue with passwords? My work uses so many passwords for each application, and forces you to change them montly, and some of them force you to use different passwords, that you can look at any monitor and find a postit note with complete access to the system. When I mentioned this to the SA's. They said they need all of the passwords for security? Why not use thumbprints or cards for verification like the hospital I used to work at? Never typed a single password. Had to take the gloves off once or twice, but never a password.

Re:Passwords are the Problem

[Penguin Follower]

I work for the IT staff of a hospital. Fingerprint readers cause us a headeache because the hardware does not work reliably. We recently started shopping for new vendors for finger print readers (trying to find one that works more reliably). Both of the new vendors came in to show us their hardware and couldn't get them to work with at least 90% reliability. We're looking at other forms of authentication now. Problem being, we have to have two forms of identification due to the state board of pharmacy. It was going to be fingerprint readers and passwords... now looks like maybe RSA tokens and passwords instead. We use RSA already and that system doesn't give us many problem at all.

Re:

[nametaken]

Card systems, thumbprint readers, keys, etc. cost money in both hardware and software... both up-front and recurring.

Password systems are built in, cost nothing, and have done the job pretty damn well for decades.

That's not to say it's a perfect solution of course.

Re:

[grumbel]

Why not use thumbprints

Thumbprints have the disadvantage that you leave them all over the place anywhere you go, which makes them pretty easy to fake and not a very good password replacement. They of course can work in some cases, but are horrible in others.

cards for verification like the hospital I used to work at?

The problem is:

1) nobody owns them
2) no webpage or browser out there supports it

Classic chicken&egg situation. If Microsoft or Apple would step up and push them, such stuff might have a chance, but without a large party backing it up, I don't have much hope for the near fu

Re:

[Mista2]

At primary school one of my teachers insisted in trying to cure my lefthandedness. my handwriting is still terrible to this day thanks to this 8)

Re:

[John Hasler]

At primary school one of my teachers insisted that it was "ok to be lefthanded". She kept taking the pencil out of my right hand, putting it in my left, and reassuring me that "You don't have use the same hand as the other kids". Fortunately I was more persistent than she was, so now I am very nearly ambidextrous as well as having adequate handwriting.

Re:

[Wildclaw]

This is the real reason why OpenID is so important. Cards/onetime tokens/etc are costly to implement on every minor site. However, by centralizing the security solution you can use a real secure solution.

As for biometrics, I only recommend thumbprints as a compliment to ensure that people don't lend out their primary verification. For actually security checking biometrics suffers from being a static factor. Onetime pads or certificates are better in that regard.

Re:Passwords are the Problem

[zippthorne]

Fingerprint readers solve the "username" part of authentication. Not the "password" part.

Re:

[account_deleted]

Comment removed based on user account deletion

Wait, you broke stolen data?

[nurb432]

Doesn't that make you a criminal too?

Oh, it was just for 'educational purposes only' so that makes it all better.

Re:

[nurb432]

While not 100% true about not becoming a criminal if someone sends you something. ( let someone send you a bag of pot, and if you hold it in your hand, technically its possession ), but this isn't abut possession, its about what he did with it.

Breaking passwords is *technically* illegal, for any purpose..

Inaccurate

[DarkAnt]

Sex and God are not even on the list.

Re:Inaccurate

[MRe_nl]

from a link/article:(Pearlady said, on January 6th, 2009 at 10:35 am)
"Just had to mention hearing about the man who wanted to use "Penis" as his password, but the computer threw it out because it wasn't long enough.....

Re:Inaccurate

[Zwicky]

Problem solved. My password is 'sexgod'

What? I can dream!

Colemak/Dvorak patterns?

[ethana2]

How many key patterns are used by people who type with dvorak or colemak? I've always liked the extra security that comes with using an obscure (albeit superior) keyboard layout ;)

Surely a meaningless analsysis?

[gilgongo]

What lessons can we learn from a password list taken from a mailing list? Most if not all people would instinctively choose a weak password for something like that, and those that didn't wouldn't use their "normal" strong one for fear of something like this incident happening. After all, it's only worth choosing a strong password if there's something worth protecting with it. Nobody (that's nobody) chooses new passwords for every system they use. So what's left - "password" and "12345". Not a big surprise.

Re:

[Charles Dodgeson]

I would be interested in distributions. Do these follow Zipf's law [wikipedia.org] or a more general power law?

Although the analysis was fairly superficial, the better we understand human password choice, the better we can work on systems to alleviate the problem. Anyway, I am a big fan of proper password managers. If people are expected to remember more than a small handful of passwords, bad things will happen.

Re:

[John Hasler]

> Nobody (that's nobody) chooses new passwords for every system they use.

False.

Stupid passwords

[SirLurksAlot]

[King Roland has given in to Dark Helmet's threats, and is telling him the combination to the "air shield"]
Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life!

Group passwords and write 'em down

[chill]

I group passwords two ways.

1. Sites that have no personal info or I don't really give a damn about. Those share 2 or 3 different passwords depending on their lame (no special characters!) requirements. Pick two words, use 7334 spelling and separate them by a punctuation mark. For example "mad money" becomes "M@d;m0n3y". Good luck guessing stuff like that.

2. Sites that I care about, like online banking or ones that contain personal information (LinkedIn, for example), have random line noise for passwords and I just write them down. There is a notebook in my desk with all the passwords. The desk is locked and in my home office. That is far more secure than trying to make them easy enough to memorize.

3. If you use Firefox, make sure you use a Master Password [mozilla.com] if you allow it to remember passwords.

Someone posted this earlier and it is a useful BASH script.

dd if=/dev/random bs=200 count=1 | tr -cd 'A-Za-z0-9!@#$%^&*()_+'; echo

Copy a group of 10-15 out of the middle of that and use it for a password.

Re:

[FourthAge]

I think the following is better:

#!/usr/bin/python

if ( __name__ == "__main__" ):
out = []
r = file('/dev/random', 'rb')
for i in xrange(8):
ch = 62
while (( ch >= 62 ) or (( i == 0 ) and ( ch >= 52 ))):
ch = ord(r.read(1)) % 64

if ( ch < 26 ):
ch += ord('A')

Re:

[John Hasler]

I think pwgen is better yet.

Re:

[CoolQ]

Much simpler:

openssl rand -base64 32 | head -c 10

Where "10" is the number of characters you want.

--Quentin

DMCA

[Migraineman]

Does this message thread constitute an "access control circumvention device" under the DMCA? [chillingeffects.org] It's a reach to consider a message board thread to be a "device," but information herein does identify a statistical bias toward passwords used for access control. That wasn't the original intent of the DMCA ... but the original intent is irrelevant.

Who needs this?

[Javagator]

Who needs a list of the 500 worst passwords. What we need is a list of the 500 best passwords.

I keep my password simple....

[Anonymous Coward]

I keep it the same as my cat's name, so it's easy to remember. My cat's name is HZpn8BINlP5Lows2Y@z2I%L!Cvlga&GE128 but I change it every month.

No Geek Card For You!!!

[supernova_hq]

Dude, you actually had to google 159357 to realize it was a num-pad thing? Time to hand in his geek card Robert!!!

Re:Left and right reversed?

[chillax137]

The idea is that lefties are mousing with their left hands - they have the right hand free to do the typing.

Re:Left and right reversed?

[argent]

That's the first time I've heard of one-handed typing being commonplace. I thought it was restricted to certain kinds of websites. :)

Re:

[swilly]

Are you suggesting that those sites aren't commonplace?

Re:

[arkhan_jg]

Even more so, it's about the width of the body and the natual position of the free hand.

A leftie with his left hand on the mouse, to the left of the keyboard; his right hand naturally falls around the arrow keys or numberpad.

A rightie with his right hand on the mouse to the right side of the keyboard will naturally have his left hand fall around the wasd and 1234 side of the keyboard.

While it's certainly possible to mouse left-handed and use wasd for gaming, (or the keypad if you're a rightie) you end up re

Re:Left and right reversed?

[Ian Alexander]

I've never moused with my left hand on anything approaching a regular basis- it's simply too awkward. I was just taught to use my right hand to mouse like everyone else in elementary school so that's what I do.

--Southpaw

Re:

[daeley]

I'm a righty, but if I use a mouse at all it's on the left. Can't remember why I switched it up, but I think it might have been something I read about avoiding wrist strain after using the mouse on the right for years. Feels perfectly natural nowadays.

Re:

[John Hasler]

Sometimes I put ny trackball on the right, sometimes on the left: whichever is convenient. Works fine with either hand. I never switch buttons, of course.

Re:

[Joce640k]

So ... why are lefties typing 159357 instead of qazwsx?

Re:

[argent]

I know a couple: out of the several hundred developers I was supporting in a precious job I can only recall a couple who were using a mouse left-handed handed when I was called in to help them... so obviously some people prefer them.

They all type with both hands. Even when entering a password.

Re:

[thetoadwarrior]

Every lefty I know uses theur left hand including one dim enough to have bought a right handed mouse.

Re:

[John Hasler]

I'm lefted handed. At the moment I find it convenient to have my trackball to the right of my keyboard and use it with my right hand, but under other circumstances I sometimes put it on th left. Makes no difference.

Re:Left and right reversed?

[cslax]

I use the mouse with either hand, if the hand gets tired I switch hands.

Can be misinterpreted in so many ways.

Re:

[Charles Dodgeson]

I don't know about other people, but I really don't care if someone hacks or guesses my forum password [...] Trivial web sites are going to beget trivial passwords.

I suspect that many people don't distinguish between high security passwords and low security ones, but as you say, it would be very interesting to see results from a high value site.

But even if people are using better passwords on more important sites, they are still constrained by memory and psychology if they are not using a password management system. So even if they are using better passwords for those sites, they are probably using the same, or variants of the same, passwords on multiple sites. If