Passwords From PHPBB Attack Analyzed 299
Robert David Graham writes "The hacker who broke into phpbb.com posted the passwords online. I was sent the password list, so I ran it through my analysis tools and posted the results. Nothing terribly surprising here; 123456 and password are the most popular passwords as you would expect. I tried to be a bit more creative in my analysis, though, to get into the psychology of why people choose the passwords they do. '14% of passwords were patterns on the keyboard, like "1234" or "qwerty" or "asdf." There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e." I spent a while googling "159357" trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among right-hand people, "159357" will be popular among lefties.'"
And so... (Score:2, Interesting)
someone 'analyzed' another password list for correlations and found nothing of inherit value to security of than 'people are a problem'.
Chalk yet one up for the Adams team.
Passwords are the Problem (Score:5, Interesting)
Re:159357 popular with lefties? (Score:4, Interesting)
Re:159357 popular with lefties? (Score:3, Interesting)
Never would've thought of that. As a left-handed person, I still use the mouse with my right hand because that's where everyone else puts it. Also, I'd have to remap the left/right buttons to be able to use my index finger for the majority of clicking.
(Coincidentally, I did use that as my phone password for a while after some Cisco phones at my job barred my traditional "12345" (idiots, luggage) VM password. I've never even really understood a need to secure my VM in the first place, but I digress.)
Re:The horrible problem (Score:5, Interesting)
The response from phpBB.com seemed to indicate that the only passwords that were cracked were from those accounts that had been created in an older system, and had not logged in under the newer system. Given the large number of spam accounts on that site, I wonder if the majority of those cracked, not recently logged in accounts were spam accounts, and as such if the passwords are not representative of the userbase at large: http://area51.phpbb.com/phpBB/viewtopic.php?f=3&t=29973 [phpbb.com]
Re:159357 popular with lefties? (Score:3, Interesting)
Perhaps it is a difference between laptops and desktop keyboards. On a commodity laptop there is no numeric keypad, though there is the numlock key on some which allows the UIOJKL keys to be used as numeric keys.
The quickest way of typing numbers is to use the the top row of keys. In that case, sequences like '1234', 'qwe123', q1w2e3' would be the most convenient. If you have a full sized desktop keyboard, then the availability of the keypad would allow the sequence 159357 to be typed in rapidly.
Colemak/Dvorak patterns? (Score:2, Interesting)
Re:159357 popular with lefties? (Score:2, Interesting)
But for that, you first have to *find* the letters "qwerty", and maybe even "http://google.com" (because IE does not automatically add the http) first.
Good luck, finding them on MY keyboard: http://www.neo-layout.org/ [neo-layout.org]
Hint 1: The letters printed on my keys have no relation to the actual layout.
Hint 2: "Ebene" means "level". So: Yes, that thing has 6 levels. (7 actually)
Re:159357 popular with lefties? (Score:3, Interesting)
Group passwords and write 'em down (Score:4, Interesting)
I group passwords two ways.
1. Sites that have no personal info or I don't really give a damn about. Those share 2 or 3 different passwords depending on their lame (no special characters!) requirements. Pick two words, use 7334 spelling and separate them by a punctuation mark. For example "mad money" becomes "M@d;m0n3y". Good luck guessing stuff like that.
2. Sites that I care about, like online banking or ones that contain personal information (LinkedIn, for example), have random line noise for passwords and I just write them down. There is a notebook in my desk with all the passwords. The desk is locked and in my home office. That is far more secure than trying to make them easy enough to memorize.
3. If you use Firefox, make sure you use a Master Password [mozilla.com] if you allow it to remember passwords.
Someone posted this earlier and it is a useful BASH script.
dd if=/dev/random bs=200 count=1 | tr -cd 'A-Za-z0-9!@#$%^&*()_+'; echo
Copy a group of 10-15 out of the middle of that and use it for a password.
Re:159357 popular with lefties? (Score:4, Interesting)
I'm right handed, and I trained myself to use my mouse with my left hand. The reason? Because I was starting to develop wrist problems back when I was in IT and had to spend eight hours a day on the computer. Using the mouse with your right hand entails having to move over a much larger area of keyboard to get to it (numerical keypad, arrow keys, etc). With the left hand, you only have to travel a small distance. Also, being mouse-ambidextrous allows you to switch back and forth, thus taking the entire burden off of one hand.
In the end, I decided to go with a trackball, which is built for the right hand (MS optical one) but which I use with my left hand. Furthermore, it's great because since it's a trackball and on the wrong side of the keyboard, it keeps people away from my computer, which is just fine with me :-).
Re:The horrible problem (Score:5, Interesting)
I agree... it just plain scares me that so many large systems don't even bother with such trivial precautions as hashing. It's even more trivial than sql injections. Up until it happened, I would have _never_ guessed myspace & phpbb stored plaintext. It seems borderline incompetent.
I've implemented tons of little one-off account systems, for websites small enough they'll probably never even see a hacker. But before I even implemented the first one, I went through the trouble of finding the best password hash algorithm I could (http://people.redhat.com/drepper/SHA-crypt.txt)
Sure, I've had customers ask "why can't it just email me my password when I forget?" But you know what? Just a few minutes of quick explanation, and even people with NO math or cs background can understand why it's important.
So for the love of the gods, people, please take an hour out of your time to put in a hash alg (even md5-crypt is better than nothing)... it's just not that hard.
---
Just to go off on a rant here...
I've also noticed in some web applications there is the tendency to just pick a hash alg at random. Be warned: not all hash algorithms are created equal.
"Checksum" algorithms such as CRC32 are woefully insufficient: easy to reverse (for small strings), easy to find collisions. They're basically just one guessable step away from plaintext.
"Integrity" algorithms such as MD5 & SHA are a little better, since they're very hard to reverse, and difficult to find collisions.
The problem with using these types of hashes directly is that they will always hash a password to the _same_ string. While that's desirable for their purposes (file integrity, etc), that's not good at all for passwords: you can pre-build a table of known mappings beforehand, and use it to quickly guess many passwords in parallel (aka a rainbow table): Given a table of 10k user passwords hashed like this, and a pre-built table, the odds are very good you'll get a significant number of the passwords in a very short amount of time.
This is why a proper "Password" hash (eg bcrypt, md5-crypt, sha-crypt) includes a "salt" which is randomly generated each time the password is set (and not just the first time). This prevents the rainbow attacks which are possible on plain integrity hashes. But prepending (or appending) the salt is not enough, because since it's effect can be undone mathematically, at least enough so that it presents no real additional barrier.
Genuine password hashes, while using an integrity hash their basis, mix & blend the password and the salt in so many variable ways as to make this reversal impossible. And there are so many nuances here that _you should not roll your own_ (unless you're Bruce Schneier). Read bcrypt, sha-crypt or md5-crypt's specs for some details.
Note: don't use the old unix-crypt, while it is a password hash in the strict sense, it's so old and simple, it's barely stronger than crc32.
Note: sha-crypt adds additional flexibility via it's "rounds" system, allowing it to easily grow more complicated as computers grow more powerful. This is why I prefer it above all the others.
End rant: all this is why you should use sha-crypt or md5-crypt, and nothing lesser.
Re:159357 popular with lefties? (Score:2, Interesting)
Re:Group passwords and write 'em down (Score:3, Interesting)
Much simpler:
openssl rand -base64 32 | head -c 10
Where "10" is the number of characters you want.
--Quentin
Comment removed (Score:3, Interesting)
Re:159357 popular with lefties? (Score:2, Interesting)
It may depend on how and when you learned to type numbers. I learned to type in school (typing class) on big Underwood manual typewriters, but never really got good at typing the numbers there. But when I got my Commodore 64 and started typing in programs out of Compute! magazine using their mlx program, which involved typing in pages and pages of nothing but numbers, I quickly learned to type numbers just as well as I can type letters. Always using the top row numbers, of course, because the Commodore 64 has no numeric keypad.
To this day, I never use the numeric keypad on any keyboard. In fact, when it's not there (like on a laptop) I don't miss it a bit.