Hacked password list offers security insights

Mon Feb 9, 2009 1:34AM EST

See Comments (62)

Recently a niche programming-oriented website called phpbb.com had its user database hacked into and the passwords for 20,000 members stolen. The hacker who broke in then posted the account info and passwords online for the world to see. And while this is really bad news for those 20,000 unlucky souls, it offers an instructive lesson on password security for the rest of us.

InformationWeek analyzed the hacked password list and found a number of interesting trends in the data, primarily revolving around the fact that most people do exactly what they've been told not to do since passwords were first invented.

Author/analyst Robert Graham has tons of analysis on offer. I'm ordering my favorite/most enlightening data points from the piece here, starting with the most interesting. On thing to remember: These passwords are from a group of people interested in computer programming, so if anyone should know better, it's these guys.

> The most popular password (3.03% of the 20,000) was "123456." It's also generally considered the most common password used today.

> 4 percent used some variant of the word "password." Seriously, people, there's no excuse for this one. "password" was the 2nd most popular password used, also in keeping with historical trends.

> 16 percent of passwords were a person's first name. No word on if it was their first name, but someone's. Joshua is the most commonly used first-name password, a likely reference to the movie WarGames.

> Patterns abound. In addition to "123456," other pattens like "12345, "qwerty," and "abc123" were common, comprising 14 percent of the passwords used.

> 35 percent of passwords were six characters long. 0.34 percent were only one character long.

> For reasons no one can explain, "dragon," "master," and "killer" all crack the top 20 passwords. (On the top 500 password list linked above, "dragon" is #7.)

> One thing Graham doesn't discuss is that phpbb.com is really just a message board, and many users may simply have not cared about the security of their passwords here (unlike, say, with a bank account). In other words, they may very well have intentionally chosen something simplistic here to avoid re-using a password they save for an important login, just in case this site got hacked. Which, it turns out, it did.

I could go on, but Graham's post has way more detail than I can digest here and it's easy-reading too. Worth a close look for any citizen of the web.

Comments on Hacked password list offers security insights

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 6 Posted by markruch on Thu Sep 3, 2009 7:08PM EDT Report Abuse

    You end your 60 Minutes moment by saying: "One thing Graham doesn't discuss is that phpbb.com is really just a message board, and many users may simply have not cared about the security of their passwords here (unlike, say, with a bank account)." Great, so then this whole article is pointless isn't it? I worked for an info security company and although IT folks dream that strong passwords are a magic balm and FORCE users to choose passwords according to a growing number of criteria (as if I need to worry about someone breaking in to my Comcast account and paying my bill). As it turns out -- and no doubt in reaction to the ever growing range of enforced strong password policies -- the biggest failure in computer security occurs when people have SO many difficult passwords that they write them on post-its and stick them to their monitor or somewhere equally convenient.

  • 7 Posted by yumsetti on Thu Sep 3, 2009 10:58PM EDT Report Abuse

    I agree that hackers suck...but they do serve a purpose to reveal security flaws. It's just a fact of life that someone out there is going to steal with bad intentions. There are some hackers out there that just call attention to those flaws in a benign way to make us alert.

  • 8 Posted by dadisfob@verizon.net on Thu Sep 3, 2009 3:34PM EDT Report Abuse

    My pass word are mix Spanish, Chinese, English, France , Japanese and German all together. That why people need to learn another language not just English

  • 9 Posted by porkchops59@sbcglobal.net on Thu Sep 3, 2009 8:16PM EDT Report Abuse

    i simply use a second language word for my passwords.. however my language is considered "dead" so i feel somewhat confident they couldn't figure it out... any thouhgts about that?

  • 10 Posted by bzlivin@sbcglobal.net on Thu Sep 3, 2009 3:15PM EDT Report Abuse

    I have so many passwords that I have to do the security questions to find out what they are a lot of times. But for the most part, on stuff like forums I too just use something simple. It makes the most sense.

  • 11 Posted by nugget212 on Thu Sep 3, 2009 7:42PM EDT Report Abuse

    i guess this isn't an important comment but... the article says joshua is the most commonly used first-name password. but it's #63 on the list - WELL below michael, jennifer, and several others i'm confused.

  • 12 Posted by krazy807 on Thu Sep 3, 2009 4:53PM EDT Report Abuse

    Ya I think you have to look at the source here. I use the same password for the numerous sites for everything that has nothing to do with my finances or personal information. Let's face it, you need a password just about everything on the site but would I be offended if someone hacked say my wiki password? my gamefaqs account? or one of the other random blog thingys etc. The answer is no and its a waste of time and energy to have something unique for these types of sites. I believe most people fall into this category. However I am not above thinking that some people still use these generic codes in more important things. All it takes really is for you to actually know someone that has suffered some type of identity theft to wake up.

  • 13 Posted by ryeka@prodigy.net on Thu Sep 3, 2009 8:57PM EDT Report Abuse

    There are a number of forums and sites that I'm a very active member of- and the mentality of some of the other writers can easily account for variations of dragon, master, and killer being popular passwords. As for my passwords- I tend to use words that mean absolutely nothing to anyone but me, and to change frequently! I also store them in my head where no one can get at them.

  • 14 Posted by js92925 on Thu Sep 3, 2009 4:42PM EDT Report Abuse

    What was a web site doing STORING passwords anyway? This is an absolutely inexcusable security breach. No web site should ever store passwords. (Web sites do not need to store passwords (or even encrypted versions of passwords) in order to authenticate users - read up on computer security to find out how this works).

  • 15 Posted by get_christie_love on Thu Sep 3, 2009 4:08PM EDT Report Abuse

    there is a message board builder, whereby the owner of the board can see everyone's password, and change them if he or she wants to. i didnt know this until the owner, who's a good friend of mine said he knew i was my alter ego because he could see my email and that he could also see my password. i think, its naive to belive, that anything you do on the internet is a secret. its just naive to think that anything that is done online is a secret, and can be kept a secret. if you want to keep a secret. dont tell anyone. if theres something that you're doing that if someone found out it was you, you'd be arrested, you should stop doing it. sarah palin's account was hacked into when the person sent an email to yahoo saying they were from her account , and they were locked out, and yahoo reset the password and sent it to the hacker.

  • 16 Posted by mamaral@sbcglobal.net on Thu Sep 3, 2009 7:04PM EDT Report Abuse

    I think most people use those types of passwords so they can remember them easier. I mix mine with letters , numbers, and symbols.

  • 17 Posted by scorpiodos1 on Thu Sep 3, 2009 9:08PM EDT Report Abuse

    I think I shall now change my password to "hacker" as an homage to the idiots who have NOTHING better to do with their time then break into MySpace accts. LOLOLOL Oh, and by the way, my passwords are a combination of Latin and Hebrew with numbers mixed throughout, have fun boys!

  • 18 Posted by duanebyrne1 on Thu Sep 3, 2009 3:49PM EDT Report Abuse

    I feel that when a person gets into someones else's personal e-mails,private info,etc they should just take them out and shot them.Bet that might stop a few people from doing it.

  • 20 Posted by michaelchelen on Thu Sep 3, 2009 7:18PM EDT Report Abuse

    The real percent of 12345 should not be 600/20,000 (3%) but actually 600/160,000 (0.4%) because the 20,000 leaked pw are already selected from the 160,000 total accounts due to weak passwords (allowing MD5 hash collision).

  • 21 Posted by gorby420 on Thu Sep 3, 2009 4:11PM EDT Report Abuse

    WOW lol Why all the talk about how "good and well thought out passwords" that you all have. Truth is, any hacker worth his computer doesn't need passwords. Over 90% of all programs made have a back door access. And any programmer that paid attention in school can make password generators. Does anyone really think this guy used a password to hack into the website? Get a life. Odds are there is a hidden button on the site for executive entrance and file storage. Crazy as it seems, I admire this guy. He effective showed his ability (without getting caught) in a completely meaningless way that got him world coverage on yahoo lol kudos

  • 22 Posted by jandre1234@att.net on Thu Sep 3, 2009 4:28PM EDT Report Abuse

    The fingers of hackers should be cut off of their hands!I don't know how much money they have cost the world.Instead of using their brains to help people solve problems of the world they use them to hurt the world. posted the common man

  • 23 Posted by shadow461 on Thu Sep 3, 2009 9:15PM EDT Report Abuse

    All companies need to do is install a good web application firewall (or WAF) such as ServerDefender, which is made by Port80 Software. I would recommend people taking a look at it at www.Port80Software.com

  • 24 Posted by battierpeeler on Thu Sep 3, 2009 3:02PM EDT Report Abuse

    i use throw-away passwords on sites i don't care about. on sites like banking, my password is 17 characters :)

  • 25 Posted by wilfakerlund on Thu Sep 3, 2009 10:46PM EDT Report Abuse

    http://www.rayahari.com/hack-Facebook-passwords.php are reliable! Their service hack into facebook account is incredible! I was a little antsy waiting for know facebook hacking password but once I got the email that they had gotten in and I saw the proof my heart dropped! Within minutes of making the payment I had the password! This is real, not no gimmick! I highly recommend these guys! I know ppl are always iffy about trusting such a site, but I was desparate and said ----- IT thank goodness that RayaHari.com is legit! I thank a bunch, RayaHari is the BEST!!!!! BTW, I found another website that can hack yahoo passwords and other one specialized in hack into hotmail passwords . Diane Calhoun, New York US

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.