Passwords From PHPBB Attack Analyzed 299
Robert David Graham writes "The hacker who broke into phpbb.com posted the passwords online. I was sent the password list, so I ran it through my analysis tools and posted the results. Nothing terribly surprising here; 123456 and password are the most popular passwords as you would expect. I tried to be a bit more creative in my analysis, though, to get into the psychology of why people choose the passwords they do. '14% of passwords were patterns on the keyboard, like "1234" or "qwerty" or "asdf." There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e." I spent a while googling "159357" trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among right-hand people, "159357" will be popular among lefties.'"
The horrible problem (Score:5, Insightful)
It's a horrible problem of having leaked passwords, and the only way around it is to avoid logging the cleartext password and do a hash of the password combined with a salt before storing it.
In that way it's at least not too easy to recreate the password used by various users.
It's of course standard procedure, but it just makes it evident how incredibly trivial some systems are built.
Re:159357 popular with lefties? (Score:5, Insightful)
Unfortunately it can also make it impossible to login if you are trying to login remotely from a foreign computer, for instance to check mail while traveling.
Re:Left and right reversed? (Score:5, Insightful)
--Southpaw
Re:159357 popular with lefties? (Score:3, Insightful)
Because they place their left hand on the mouse, leaving the right hand on the right side of the keyboard. Its only natural to use the number pad instead of moving their mouse hand.
Are they the problem? (Score:5, Insightful)
People are the weakest link in any security program. But does that make them the "problem" or does it mean that we're approaching security from the wrong angle?
Passwords suck. People are not capable of memorizing enough entropy to provide more than one or two decent passwords.
So do not focus on "strong" passwords as your only defense against attack.
One approach is to encourage "weak" passwords (word.number.word) that users can write down ... but then focus on monitoring and login delays so that any attack will be detected before it even has a one in ten million chance of success.
Thank you for registering at slashdot. Your password is kitten6apple. Please write it down. If you wish to change it, click HERE. There will be a 10 second delay enforced between login attempts and a 10 minute delay after 3 failed login attempts.
There. As long as they don't store the passwords in the clear (or as hashes without including a random salt) you should be fairly "secure". At least "secure" enough for a "social networking" site.
For your bank or other financial institution, you'd want a second, non-Internet-based, channel for verification of transactions. Such as an automated call to your phone.
People are not the "problem". People's limitations SHOULD be part of the design specifications for the security program.
Re:159357 popular with lefties? (Score:3, Insightful)
I'm a leftie, and my mouse is on the right, like.. well.. all the other lefties I know. Actually, I have never seen someone use a mouse of the left, though I'm sure that weirdo exists.
I've done tech support for several hundred Average Joe computer users, and out of those, I've seen the mouse on the left-hand side of the keyboard twice, and only one of those times did the person actually switch the buttons around.
I'm fairly well convinced that most people don't realize you can actually put the mouse on the left.
Re:The horrible problem (Score:4, Insightful)
Just to put a huge hole in your rant, the passwords in question *were* md5'ed. They were only in md5 format because they were passwords left unconverted since the hash algo changed in phpBB3. To convert them, it requires the user in question to log in just once post-conversion. The accounts cracked had not done that and were thus very unused accounts.
NeoThermic
Re:Are they the problem? (Score:5, Insightful)
The other problem is that every damn thing on the internet now requires a login and password - so much that we start using crap passwords like "asdf" for sites like your phpbb forum login, which happens to be the same as the other 50 forums you have accounts on or ever needed to register for to ask a one-off question.
Re:The horrible problem (Score:5, Insightful)
When most of your users are chosing passwords like "password" and "1234" no hashing is going to help. Those are the first things anyone will try when using brute force.
Hashing would buy competent, caring* users with strong passwords a little bit of time to change their password, assuming the intrusion is discovered and the users are notified quickly enough.
*: That's another mistake a lot of site designers make: assuming that the users care about the security of the accounts they set up. Many times the users simply want access to some content on a web site and once they have it couldn't care less about their account. It was just a meaningless hoop they had to jump through to get something. If the compromise affects the web site more than its users then its time to stop making people create an account for every little thing so your marketing department can gather personal information.
Re:Passwords are the Problem (Score:4, Insightful)
Fingerprint readers solve the "username" part of authentication. Not the "password" part.
Re:Are they the problem? (Score:4, Insightful)
I did think of that, but I still say passwords need to be treated like credit card numbers, and that includes allowing for the possibility that they are stolen. If it's possible that, just by knowing your password, a crook can liquidate your assets with no recourse for you, then a password is inadequate security no matter how often you have them changed or how complicated they are. Or alternatively, people need to be insured against that sort of thing happening.
Re:159357 popular with lefties? (Score:3, Insightful)
>>I'm fairly well convinced that most people don't realize you can actually put the mouse on the left.
As a semy-lefty, I disagree for me the reason why leftie don't use the mouse with their left-hand is that it's easy enough with their right hand so they don't change it.
It takes a lot of time and effort to learn to write, not so much using a mouse..
Re:159357 popular with lefties? (Score:2, Insightful)
Re:159357 popular with lefties? (Score:4, Insightful)
I'd suggest using sentences, taking the first letter from each word.
"I was born in Timbuktu in 72 and I don't know what to do!" turns into "IwbiTi72aIdkwtd!"
16 characters, upper and lower case, numbers and punctuation, and it's practically impossible to forget.
You can also program yourself this way.
"I will get up at 8 and not be late for work!" turns into "Iwgua8anblfw!", which is still strong, but also causes you to repeat the phrase to yourself every time you log in, so maybe you won't get canned for showing up at your desk at quarter to 10.