Hacked password list offers security insights

Mon Feb 9, 2009 1:34AM EST

See Comments (62)

Recently a niche programming-oriented website called phpbb.com had its user database hacked into and the passwords for 20,000 members stolen. The hacker who broke in then posted the account info and passwords online for the world to see. And while this is really bad news for those 20,000 unlucky souls, it offers an instructive lesson on password security for the rest of us.

InformationWeek analyzed the hacked password list and found a number of interesting trends in the data, primarily revolving around the fact that most people do exactly what they've been told not to do since passwords were first invented.

Author/analyst Robert Graham has tons of analysis on offer. I'm ordering my favorite/most enlightening data points from the piece here, starting with the most interesting. On thing to remember: These passwords are from a group of people interested in computer programming, so if anyone should know better, it's these guys.

> The most popular password (3.03% of the 20,000) was "123456." It's also generally considered the most common password used today.

> 4 percent used some variant of the word "password." Seriously, people, there's no excuse for this one. "password" was the 2nd most popular password used, also in keeping with historical trends.

> 16 percent of passwords were a person's first name. No word on if it was their first name, but someone's. Joshua is the most commonly used first-name password, a likely reference to the movie WarGames.

> Patterns abound. In addition to "123456," other pattens like "12345, "qwerty," and "abc123" were common, comprising 14 percent of the passwords used.

> 35 percent of passwords were six characters long. 0.34 percent were only one character long.

> For reasons no one can explain, "dragon," "master," and "killer" all crack the top 20 passwords. (On the top 500 password list linked above, "dragon" is #7.)

> One thing Graham doesn't discuss is that phpbb.com is really just a message board, and many users may simply have not cared about the security of their passwords here (unlike, say, with a bank account). In other words, they may very well have intentionally chosen something simplistic here to avoid re-using a password they save for an important login, just in case this site got hacked. Which, it turns out, it did.

I could go on, but Graham's post has way more detail than I can digest here and it's easy-reading too. Worth a close look for any citizen of the web.

Comments on Hacked password list offers security insights

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 46 Posted by kavyle1 on Thu Sep 3, 2009 4:48PM EDT Report Abuse

    Me and my friend are just sitting here laughing our butts off while we read these! "123456"? How is that smart? Even our passwords are better. =/ If you ask me, I think the hacker was just trying to teach those idiots a lesson. (No offence to the idiots I'm referring to. ;) ) Kinda like Kira("Death Note") was doing to those criminals. Except the hacker was being a lot nicer to these people. Not killing criminals, but just setting an example to the worlld. "DON'T CHOOSE STUPID PASSWORDS!"

  • 47 Posted by ashleigh2501 on Thu Sep 3, 2009 2:58PM EDT Report Abuse

    The people that have that for a password, obviously dont grasp the significance of having a password in the first place. Now that their emails and bank accounts have been hacked, i bet they will wake up and realize the passwords importance.

  • 48 Posted by tamarbarnousky on Thu Sep 3, 2009 9:55PM EDT Report Abuse

    Honestly, you should use good passwords on message boards too... just in case you tick someone off. It happens constantly - someone gets mad, hacks into your account, and posts a bunch of obscenities/rule-breaking material in order to get you banned. If you're worried about forgetting passwords, just keep a piece of paper by your computer and write them down as you sign up for things... not that hard.

  • 49 Posted by darkeyedangel136 on Thu Sep 3, 2009 3:36PM EDT Report Abuse

    Wow and here I thought that only small children used simple passwords such as these. I use several passwords for different things, and they are all a combination of several words in a different language and numerals. Now more then ever people need to protect them selves from thieves and dishonest people trying to make a buck.

  • 50 Posted by nobackyardgrass on Thu Sep 3, 2009 7:40PM EDT Report Abuse

    What Chris fails to mention is the password that was hacked. How safe was that? These others were stolen only because the database password (and login, no doubt) was hacked.

  • 51 Posted by flyingcar28 on Thu Sep 3, 2009 4:01PM EDT Report Abuse

    who uses password for a password also Joshua seems like an easy password to guess beucase like the article says it was from Wargames.

  • 52 Posted by louralf1 on Thu Sep 3, 2009 6:57PM EDT Report Abuse

    Any good password should contain a combination of BOTH letters and numbers and should NOT be any recognizable pattern (names, adresses, phone numbers etc) that a thief might find in your wallet.

  • 53 Posted by defcon888 on Thu Sep 3, 2009 3:40PM EDT Report Abuse

    I use a program called ROBOFORM. I have used it for 8 years and can't live without it. I only have to remember one password...the one to log into it. It even has a password generator (i.e. here is one "37yH6578#&") and that is random...never the same one twice. I don't know how many people use there kids first names (my boss does) and it is a joke around here. Come on people, add a "%" or "$" in. If you do decided to write them in a WORD file....don't name the file "PW" or "passwords" and encrypt it..which means you would have to remember yet another password.

  • 54 Posted by sadicoy on Thu Sep 3, 2009 8:59PM EDT Report Abuse

    Comeing from a Private Investigator? those passwords arent the norm. Those are usually passwords attatched to an elder generation or teens. Best passwords are 100% random strung together words symbols and numbers. Alot of people use their Social Security number.. easy to crack if you have cracking soft-warez and then they've got your SSI. Everyone thinks "can't happen to me!", even I have been hacked with all my know how and security. ~Sadicoy

  • 55 Posted by conan8_8 on Thu Sep 3, 2009 3:28PM EDT Report Abuse

    Meh. I use the shortest allowable password for garbage like message boards. I am not going to waste time coming up with unique secure passwords for every internet Forum I visit. And even if one of those folks had the most secure password ever conceived They'd be doing the same thing as the folks who used the one from SpaceBalls, setting a new password. Nothing gained for their effort. Now for a bank? Yes I'd use a good password and hopefully a few pass questions in the login series.

  • 56 Posted by giova251 on Thu Sep 3, 2009 4:09PM EDT Report Abuse

    i think this matter needs to be brought to justice(o.k i just realized how corny that sounded)

  • 57 Posted by splatter1@verizon.net on Thu Sep 3, 2009 9:36PM EDT Report Abuse

    no matter how simple or complicated your password may be, if a hacker really, really wanted into your account, I'm sure they'd get in to it. After all, they are nerds with nothing better to do right? If they had lives of their own, other people's accounts would not matter to them in the least.

  • 58 Posted by paradigit@sbcglobal.net on Thu Sep 3, 2009 7:59PM EDT Report Abuse

    Take the time to create a real password that others cannot get at. We live in an electronic age and we might as well get used to it. It is eventually going to be a paperless, database oriented, information nightmare, unless we get a grip on it and figure it out.

  • 59 Posted by rbyrd2198@sbcglobal.net on Thu Sep 3, 2009 8:31PM EDT Report Abuse

    thanks for the post. this will keep me on my toes. but i am like what aa4mw said. i have easy ones to remember very simple and low security but i also have very very high security passwords that is 16-17 characters long consisting of letters, numbers, and symbols. i would like to see them break those. lol

  • 60 Posted by s.simpson9845@att.net on Thu Sep 3, 2009 8:59PM EDT Report Abuse

    How do you know when someone has hacked my account. There have been many times emails have been delivered to my account, (mostly personal), that are bold in font then suddenly the font is faded as if I have opened and read it. If my account has been hacked, what necessary steps must be taken.

  • 61 Posted by megawo@bellsouth.net on Thu Sep 3, 2009 7:15PM EDT Report Abuse

    I'm a journalist. I interviewed the president of a company which sells virus protection, firewalls, etc. He said that every computer in the country is hacked at least twice a week, including theirs. Most hackers are voyeurs who just like to look around. Second are the mischief makers who like to leave one little bug just to let you know they've been there. Last, of course, are the crooks who can do real damage. Best passwords are a combination of caps and lower case and numbers.

More Posts: First Prev 2 3 4 Next Last

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.