Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/6/2009
05:56 PM
Robert Graham
Robert Graham
Commentary
50%
50%

PHPBB Password Analysis

A popular Website, phpbb.com, was recently hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results.

A popular Website, phpbb.com, was recently hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results.This incident is similar to one two years ago when MySpace was hacked, revealing about 30,000 passwords. Both Wired and InfoWorld published articles analyzing the passwords.

The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords "must be between 6 and 10 characters, and contain at least 1 number or punctuation character." Most people satisfied this requirement by simply appending "1" to the ends of their passwords. The phpbb site has no such restrictions -- the passwords are shorter and rarely contain anything more than a dictionary word.

It's hard to judge exactly how many passwords are dictionary words. A lot of words, like "xbox" or "pokemon," are clearly words, but aren't in an English dictionary. I ran the phpbb passwords through various dictionary files and come up with a 65% match (for a simple English dictionary) and 94% (for "hacker" dictionaries). The dictionary words were overwhelmingly simple ones, like "apple" or "orange," rather than complex words like "pomegranate."

16% of passwords matched a person's first name. This includes people choosing their own first names or those of their spouses or children. The most popular first names were Joshua, Thomas, Michael, and Charlie. But I wonder if there is something else going on. Joshua, for example, was also the password to the computer in "Wargames," which almost certainly accounts for it being at top. Variations of the name "Jordan" are popular, which almost certainly refers to "Michael Jordan," a prominent basketball start (such as "jordan23," referring to his jersey number). This makes me wonder how many people use "Michael" as a password to refer to their children compared to sports stars.

14% of passwords were patterns on the keyboard, like "1234," "qwerty," or "asdf." There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e." I spent a while googling "159357," trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among righthanded people, "159357" will be popular among lefties.

4% are variations of the word "password," such as "passw0rd," "password1," or "passwd." I googled "drowssap," trying to figure out how to categorize it, until I realized it was "password" spelled backward.

5% of passwords are pop-culture references from TV, movies, and music. These tend to be youth culture ("hannah," "pokemon," "tigger") and geeky ("klingon," "starwars," "matrix," "legolas," "ironman"). Music, though, appears to have a much broader age demographic, with a lot of old bands, like "ironmaiden." Some notable pop-culture references are chosen not because they are popular, but because they sound like passwords, such as "ou812" ('80s Van Halen album), "blink182" ('90s pop), "rush2112" ('80s album), and "8675309" ('80s pop song).

4% of passwords appear to reference things nearby. The name "samsung" is a popular password, I think because it's the brand name on the monitor that people are looking at (I have two in front of me right now). Similarly, there are a lot of names of home computers like "dell," "packard," "apple," "pavilion," "presario," "compaq," and so on. It's hard to figure out what belongs in this category, though. Is "cocacola" a popular password because there is a can of coke on their desks? Or just because it's a well-known name? In any event, "cocacola" appears to be more popular than "pepsi" among those who choose passwords.

3% of passwords are "emo" words. Swear words, especially the F-word, are common, but so are various forms of love and hate (like "iloveyou" or "ihateyou").

3% are "don't care" words. I've always thought that dialogs, like Microsoft's UAC, should have a button labeled "whatever." When prompted with, "This program may contain a virus, do you want to run it?" instead of having two buttons, "YES" or "NO", dialogs should contain a third button labeled "WHATEVER" or "I DON'T CARE." A lot of password choices reflect this attitude, either implicitly with "abc123" or "blahblah," or explicitly with "whatever," "whocares," or "nothing."

1.3% are passwords people saw in movies/TV. This is a small category, consisting only of "letmein," "trustno1," "joshua," and "monkey," but it accounts for a large percentage of passwords.

1% are sports related. I'm not a sports fan so I'm unlikely to recognize a lot them and categorize them correctly. The U.S. has a lot of popular sports, a lot of teams, and a lot of stars. This breadth means that no particular name is very popular, but in other countries, they become more concentrated. For example, in the U.K., the popular soccer teams, "arsenal" and "liverpool," are regularly in the Top 10 lists of passwords.

Here is the top 20 passwords from the phpbb dataset. You'll find nothing surprising here; all of them are on this Top 500 list.

    3.03% "123456" 2.13% "password" 1.45% "phpbb" 0.91% "qwerty" 0.82% "12345" 0.59% "12345678" 0.58% "letmein" 0.53% "1234" 0.50% "test" 0.43% "123" 0.36% "trustno1" 0.33% "dragon" 0.31% "abc123" 0.31% "123456789" 0.31% "111111" 0.30% "hello" 0.30% "monkey" 0.28% "master" 0.22% "killer" 0.22% "123123"

Notice that whereas "myspace1" was one of the most popular passwords in the MySpace dataset, "phpbb" is one of the most popular passwords in the phpbb dataset.

I'm interested why "dragon," "master," and "killer" made the list. They appear prominently in other password lists, too. I have no explanation for their popularity.

The password length distribution is as follows:

    1 character 0.34% 2 characters 0.54% 3 characters 2.92% 4 characters 12.29% 5 characters 13.29% 6 characters 35.16% 7 characters 14.60% 8 characters 15.50% 9 characters 3.81% 10 characters 1.14% 11 characters 0.22%

Note that phpbb has no requirements for password lengths, so people tend to choose shorter passwords than for sites like MySpace.

Update: Ashley Pinner wrote to tell me that phpBB3 uses the newer salted-passwords that require a minimum of six characters, and that anybody who has logged in since the change has had their accounts upgraded to the new hashing scheme. This means if you have logged into phpbb.com recently, then your password is less likely to have been stolen.

Update: A lot of left-handed people have told me that they use their right hand for the mouse, and therefore my theory about "159357" is incorrect.

Robert Graham is CEO of Errata Security. Special to Dark Reading

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15479
PUBLISHED: 2020-08-07
An issue was discovered in PassMark BurnInTest through 9.1, OSForensics through 7.1, and PerformanceTest through 10. The driver's IOCTL request handler attempts to copy the input buffer onto the stack without checking its size and can cause a buffer overflow. This could lead to arbitrary Ring-0 code...
CVE-2020-15480
PUBLISHED: 2020-08-07
An issue was discovered in PassMark BurnInTest through 9.1, OSForensics through 7.1, and PerformanceTest through 10. The kernel driver exposes IOCTL functionality that allows low-privilege users to map arbitrary physical memory into the address space of the calling process. This could lead to arbitr...
CVE-2020-5412
PUBLISHED: 2020-08-07
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can se...
CVE-2020-13376
PUBLISHED: 2020-08-07
SecurEnvoy SecurMail 9.3.503 allows attackers to upload executable files and achieve OS command execution via a crafted SecurEnvoyReply cookie.
CVE-2020-15907
PUBLISHED: 2020-08-07
In Mahara 19.04 before 19.04.6, 19.10 before 19.10.4, and 20.04 before 20.04.1, certain places could execute file or folder names containing JavaScript.