Hacked password list offers security insights
Mon Feb 9, 2009 1:34AM EST
See Comments (62)
Recently a niche programming-oriented website called phpbb.com had its user database hacked into and the passwords for 20,000 members stolen. The hacker who broke in then posted the account info and passwords online for the world to see. And while this is really bad news for those 20,000 unlucky souls, it offers an instructive lesson on password security for the rest of us.
InformationWeek analyzed the hacked password list and found a number of interesting trends in the data, primarily revolving around the fact that most people do exactly what they've been told not to do since passwords were first invented.
Author/analyst Robert Graham has tons of analysis on offer. I'm ordering my favorite/most enlightening data points from the piece here, starting with the most interesting. On thing to remember: These passwords are from a group of people interested in computer programming, so if anyone should know better, it's these guys.
> The most popular password (3.03% of the 20,000) was "123456." It's also generally considered the most common password used today.
> 4 percent used some variant of the word "password." Seriously, people, there's no excuse for this one. "password" was the 2nd most popular password used, also in keeping with historical trends.
> 16 percent of passwords were a person's first name. No word on if it was their first name, but someone's. Joshua is the most commonly used first-name password, a likely reference to the movie WarGames.
> Patterns abound. In addition to "123456," other pattens like "12345, "qwerty," and "abc123" were common, comprising 14 percent of the passwords used.
> 35 percent of passwords were six characters long. 0.34 percent were only one character long.
> For reasons no one can explain, "dragon," "master," and "killer" all crack the top 20 passwords. (On the top 500 password list linked above, "dragon" is #7.)
> One thing Graham doesn't discuss is that phpbb.com is really just a message board, and many users may simply have not cared about the security of their passwords here (unlike, say, with a bank account). In other words, they may very well have intentionally chosen something simplistic here to avoid re-using a password they save for an important login, just in case this site got hacked. Which, it turns out, it did.
I could go on, but Graham's post has way more detail than I can digest here and it's easy-reading too. Worth a close look for any citizen of the web.
Top 5 Posts
More About Services
Comments on Hacked password list offers security insights
Post a Comment
Join in the discussion. Here you'll see the comments in the order they were posted.
-
2 Posted by mchllsavage on Thu Sep 3, 2009 7:13PM EDT Report Abuse
What is wrong with people today don't they have anything better else to do than to steal peoples password. get a life. i mean a life worth feeling good about what they want to go down in history as the worlds smartest computer hackers or shall i say computer wizards!!!
-
3 Posted by dooney209 on Thu Sep 3, 2009 3:47PM EDT Report Abuse
there is a lady in one of the game rooms on yahoo, in the game pyramids, she claims to be able to get into profiles and find out who people are, I changed my nickname one time and she got into the profile on it and found out it was me, does this mean she is hacking, and can she be held accountable for it, she also claims to know people that can render your computer unuseable and if we believe what she says and what her friends say, they can, she also claims there are programs you can get to be able to do this, so far tho she has not said what they are, guess she is one of these people that love to have people afraid of her
-
4 Posted by atljerry on Thu Sep 3, 2009 2:59PM EDT Report Abuse
I have three levels of passwords. The lowest level are the passwords that I use for nuisance sites; their need for a password is really nil, in my opinion. Next are the passwords that are requested for good purpose, but there is no money or important information that could be lost. The highest level passwords are for sites where there is something important that needs to be protected; banking information for example.
-
5 Posted by geo777b on Thu Sep 3, 2009 4:07PM EDT Report Abuse
Well that's real good, Explain to the world the most commonly used passwords. It's a good starting point on figuring one out. Maybe someone will get lucky using this article.
Updates
Manage My UpdatesToday
-
Thanh recommended Khách không mời ở Nhà Trắng đã gặp Obama
-
123588 created a new avatar
"Avatar is now wearing Baggy Cargos & Top."
-
Seung started playing Go in Beginner Room 2
-
luke rated the video Give It Away by Red Hot Chili Peppers 0 of 5 stars
-
Latoria buzzed up: Tips for Buying the Perfect Digital Camera
"film cameras still offer the best value. We are a disposable society. My Canon dig rebel broke after 3 years. It wo…"
Connect to and share each others' private Updates, photos and more.
You are no longer getting updates from
Also on Yahoo! Tech
| Computers | Home Office | Wi-Fi & Networking | Phones & PDAs | Cameras & Camcorders | TV & Home Theater | Portable Audio |
|---|---|---|---|---|---|---|
1 Posted by aa4mw on Thu Sep 3, 2009 2:43PM EDT Report Abuse
Ah yes, I think you have called it - these are "low security" passwords! Personally I have several passwords depending on security level, one for "hassle" sites whihc just seem to want a password for no particular reason, all the way up to a unique 13 character one for each account that handles money! It would be interesting to see the equivalent list from a bank or brokerage. Oh yes even my lowest security password is not in any dictionary and has both numbers and letters - I use an old friend's ham radio call sign! It would be cool to use an old CB call from when such things were issued as well :-)