Hacked password list offers security insights

Recently a niche programming-oriented website called phpbb.com had its user database hacked into and the passwords for 20,000 members stolen. The hacker who broke in then posted the account info and passwords online for the world to see. And while this is really bad news for those 20,000 unlucky souls, it offers an instructive lesson on password securityfor the rest of us.

InformationWeek analyzed the hacked password list and found a number of interesting trends in the data, primarily revolving around the fact that most people do exactly what they’ve been told not to do since passwords were first invented.

Author/analyst Robert Graham has tons of analysis on offer. I’m ordering my favorite/most enlightening data points from the piece here, starting with the most interesting. On thing to remember: These passwords are from a group of people interested in computer programming, so if anyone should know better, it’s these guys.

> The most popular password (3.03% of the 20,000) was “123456.” It’s also generally considered the most common password used today.

> 4 percent used some variant of the word “password.” Seriously, people, there’s no excuse for this one. “password” was the 2nd most popular password used, also in keeping with historical trends.

> 16 percent of passwords were a person’s first name. No word on if it was their first name, but someone’s. Joshua is the most commonly used first-name password, a likely reference to the movie WarGames.

> Patterns abound. In addition to “123456,” other pattens like “12345, “qwerty,” and “abc123” were common, comprising 14 percent of the passwords used.

> 35 percent of passwords were six characters long. 0.34 percent were only one character long.

> For reasons no one can explain, “dragon,” “master,” and “killer” all crack the top 20 passwords. (On the top 500 password list linked above, “dragon” is #7.)

> One thing Graham doesn’t discuss is that phpbb.com is really just a message board, and many users may simply have not cared about the security of their passwords here (unlike, say, with a bank account). In other words, they may very well have intentionally chosen something simplistic here to avoid re-using a password they save for an important login, just in case this site got hacked. Which, it turns out, it did.

I could go on, but Graham’s post has way more detail than I can digest here and it’s easy-reading too. Worth a close look for any citizen of the web.

Advertisements

Posted on February 9, 2009, in Web Dev and tagged . Bookmark the permalink. 2 Comments.

  1. dpatrickcaldwell

    I enjoyed your post about password security. That’s one of my favorite topics in my blog (in fact, I wrote something today about how programmers store passwords). It’s really frustrating for me when I have a really strong password and someone does something stupid with it like email my password to me, store it in plain text, or have me verify my social security number as authentication.

    I hate when I’m trying to type a password in and I can’t use # or ! or other special characters or I can’t use a password longer than 12 characters. I mean, why limit me on the strength of my own password? Oh well, thanks for the blog post. It’ll get people to use secure passwords, but it’s up to the programmers out there to handle them better.

  2. I think the last point you make is extremely relevant. The less important people think the information contained in their account is, the less likely they are to develop a strong password. However, I think most people unfortunately still have the attitude that identity theft is not something that will happen to them and act accordingly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: