A must read about Passwords ( is your p@ssw0rd safe )

I got this from one of my friends that works in IT

[hide=PHPBB Password Analysis]PHPBB Password Analysis

Posted by Robert Graham, Feb 6, 2009 05:56 PM

A popular Website, phpbb.com, was recently hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results.

This incident is similar to one two years ago when MySpace was hacked, revealing about 30,000 passwords. Both Wired and InfoWorld published articles analyzing the passwords.

The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords "must be between 6 and 10 characters, and contain at least 1 number or punctuation character." Most people satisfied this requirement by simply appending "1" to the ends of their passwords. The phpbb site has no such restrictions -- the passwords are shorter and rarely contain anything more than a dictionary word.

It's hard to judge exactly how many passwords are dictionary words. A lot of words, like "xbox" or "pokemon," are clearly words, but aren't in an English dictionary. I ran the phpbb passwords through various dictionary files and come up with a 65% match (for a simple English dictionary) and 94% (for "hacker" dictionaries). The dictionary words were overwhelmingly simple ones, like "apple" or "orange," rather than complex words like "pomegranate."

16% of passwords matched a person's first name. This includes people choosing their own first names or those of their spouses or children. The most popular first names were Joshua, Thomas, Michael, and Charlie. But I wonder if there is something else going on. Joshua, for example, was also the password to the computer in "Wargames," which almost certainly accounts for it being at top. Variations of the name "Jordan" are popular, which almost certainly refers to "Michael Jordan," a prominent basketball start (such as "jordan23," referring to his jersey number). This makes me wonder how many people use "Michael" as a password to refer to their children compared to sports stars.

14% of passwords were patterns on the keyboard, like "1234," "qwerty," or "asdf." There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e." I spent a while googling "159357," trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among righthanded people, "159357" will be popular among lefties.

4% are variations of the word "password," such as "passw0rd," "password1," or "passwd." I googled "drowssap," trying to figure out how to categorize it, until I realized it was "password" spelled backward.

5% of passwords are pop-culture references from TV, movies, and music. These tend to be youth culture ("hannah," "pokemon," "tigger") and geeky ("klingon," "starwars," "matrix," "legolas," "ironman"). Music, though, appears to have a much broader age demographic, with a lot of old bands, like "ironmaiden." Some notable pop-culture references are chosen not because they are popular, but because they sound like passwords, such as "ou812" ('80s Van Halen album), "blink182" ('90s pop), "rush2112" ('80s album), and "8675309" ('80s pop song).

4% of passwords appear to reference things nearby. The name "samsung" is a popular password, I think because it's the brand name on the monitor that people are looking at (I have two in front of me right now). Similarly, there are a lot of names of home computers like "dell," "packard," "apple," "pavilion," "presario," "compaq," and so on. It's hard to figure out what belongs in this category, though. Is "cocacola" a popular password because there is a can of coke on their desks? Or just because it's a well-known name? In any event, "cocacola" appears to be more popular than "pepsi" among those who choose passwords.

3% of passwords are "emo" words. Swear words, especially the F-word, are common, but so are various forms of love and hate (like "iloveyou" or "ihateyou").

3% are "don't care" words. I've always thought that dialogs, like Microsoft's UAC, should have a button labeled "whatever." When prompted with, "This program may contain a virus, do you want to run it?" instead of having two buttons, "YES" or "NO", dialogs should contain a third button labeled "WHATEVER" or "I DON'T CARE." A lot of password choices reflect this attitude, either implicitly with "abc123" or "blahblah," or explicitly with "whatever," "whocares," or "nothing."

1.3% are passwords people saw in movies/TV. This is a small category, consisting only of "letmein," "trustno1," "joshua," and "monkey," but it accounts for a large percentage of passwords.

1% are sports related. I'm not a sports fan so I'm unlikely to recognize a lot them and categorize them correctly. The U.S. has a lot of popular sports, a lot of teams, and a lot of stars. This breadth means that no particular name is very popular, but in other countries, they become more concentrated. For example, in the U.K., the popular soccer teams, "arsenal" and "liverpool," are regularly in the Top 10 lists of passwords.

Here is the top 20 passwords from the phpbb dataset. You'll find nothing surprising here; all of them are on this Top 500 list.

3.03% "123456"

2.13% "password"

1.45% "phpbb"

0.91% "qwerty"

0.82% "12345"

0.59% "12345678"

0.58% "letmein"

0.53% "1234"

0.50% "test"

0.43% "123"

0.36% "trustno1"

0.33% "dragon"

0.31% "abc123"

0.31% "123456789"

0.31% "111111"

0.30% "hello"

0.30% "monkey"

0.28% "master"

0.22% "killer"

0.22% "123123"

Notice that whereas "myspace1" was one of the most popular passwords in the MySpace dataset, "phpbb" is one of the most popular passwords in the phpbb dataset.

I'm interested why "dragon," "master," and "killer" made the list. They appear prominently in other password lists, too. I have no explanation for their popularity.

The password length distribution is as follows:

1 character 0.34%

2 characters 0.54%

3 characters 2.92%

4 characters 12.29%

5 characters 13.29%

6 characters 35.16%

7 characters 14.60%

8 characters 15.50%

9 characters 3.81%

10 characters 1.14%

11 characters 0.22%

Note that phpbb has no requirements for password lengths, so people tend to choose shorter passwords than for sites like MySpace.

Update: Ashley Pinner wrote to tell me that phpBB3 uses the newer salted-passwords that require a minimum of six characters, and that anybody who has logged in since the change has had their accounts upgraded to the new hashing scheme. This means if you have logged into phpbb.com recently, then your password is less likely to have been stolen.

Update: A lot of left-handed people have told me that they use their right hand for the mouse, and therefore my theory about "159357" is incorrect.

Robert Graham is CEO of Errata Security. Special to Dark Reading[/hide]

i hope player have better passwords

Nough Said

i hope player have better passwords

Jagex made if required for people to change their weak password; such as the examples given.

It's sad to see how horrible people are at making passwords, especially this:

3.03% "123456"

2.13% "password"

Setting password to password must be the dumbest thing you could possibly do whatsoever.

I just don't get how people can set passwords to things like these. Personally, my passwords all involves caps, lower case, over 5 random numbers and over 8 letters (ones that you would NEVER guess. Ever.).

Faults in IT security are as old as IT itself though.

I found this on the same web site

[hide=How Hackers Will Crack Your Password]How Hackers Will Crack Your Password

Posted by Robert Graham, Jan 21, 2009 02:53 PM

I've been cracking passwords lately for pen tests, and I'm surprised at how corporate guidelines don't really help people choose passwords. As in many places in security, a disconnect exists between how people secure systems and how hackers break systems. So the following is a brief description of what hackers do (or, at least, what I do when pen-testing systems).

The first problem is an "online" vs. "offline" attack. An online attack is where hackers try to log on pretending to be you and guess your password. Unless you've chosen something extremely easy to guess (such as "Wasila High"), this isn't a big danger. Online systems automatically lock your account after too many bad guesses.

The real danger is "offline" cracking. Hackers break into a system to steal the encrypted password file or eavesdrop on an encrypted exchange across the Internet. They are then free to decrypt the passwords without anybody stopping them.

Doing this, hackers can guess passwords at the rate of 1 billion guesses a second. That's fast, but not when you consider how big the problem is. Consider passwords composed of letters, numbers, and symbols. That's roughly 100 combinations per character. A five-character password will have 10 billion combinations. This means a hacker can guess a five-character password in only 10 seconds. But things quickly get worse for the hacker. This problem grows exponentially:

5 characters = 10 seconds

6 characters = 1,000 seconds

7 characters = 1 day

8 characters = 115 days

9 characters = 31 years

10 characters = 3,000 years

This is why you need long passwords. Hackers can usually crack anything with seven characters or fewer, but they would be unlikely to guess passwords using this technique that are nine characters or more.

This is also why you need complex passwords containing uppercase and lowercase, numbers, and symbols. That's 100 possible combinations for each character. Lowercase passwords have only 26 combinations per character. A hacker can guess an all-lowercase password of 10 characters in about two days.

However, hackers have another trick up their collective sleeve: the mutated dictionary attack. Because of the above problem, you might choose a large password, like "Aardvark-Zebra9." This is longer than what a hacker will be able to discover by brute force. So hackers solve this with a "dictionary" attack. Instead of trying all combinations of characters, they instead try to match passwords with words in a dictionary. They then "mutate" the words, reflecting common things people do to passwords.

When users are told to make their passwords complex, they usually do something simple to them. Instead of choosing "robert" as a password, they will make it "robert!". Putting an exclamation mark at the end of a password is one of the most common mutations people choose. Hackers know this, so their dictionary cracks will do the same thing.

Here is a list of common mutations a hacker will try to dictionary words:

capitalizing the first letter of a word;

checking all combinations of upper/lowercase for words;

inserting a number randomly in the word;

putting numbers on the ends of words;

putting numbers on the beginning of words;

putting the same pattern at both ends, like *foobar*;

replacing letters like "o" and "l" with numbers like "0" and "1";

punctuating the end of words;

duplicating the first letter, or all letters in the word;

combining two words together; and

putting punctuation or space between the words.

Hackers are also smart about which words they choose. They don't just choose English words, but also include most popular languages (i.e., Spanish, French, German). They also choose words from pop culture, like xbox360 or Britney Spears.

If they know who you are, they will find words particular to you. Let's say your name is "John Smith," you drive a "BMW," you work for "Microsoft," and you like to watch "The Office." A hacker will Google these terms and create wordlists from the resulting Web pages. Thus, "Carell325i" seems like a fine 10-character password to defeat hackers, but will get cracked in only a few minutes by a hacker who knows you. (I like to use the Associative Word List Generator Web site to generate password lists for me.)

So how do you choose something that hackers can't guess? Well, remember that hackers aren't all-powerful. Increased complexity of things they have to check, the less likely they will guess your password. Yes, they will check for numbers on the ends of passwords, but as long as you've chosen something like your birthdate instead of 1234, it's something more likely to be missed.

Including just one international character, like a vowel with an umlaut, will defeat most password crackers. They can be typed by holding down the key and typing a -three-digit number on the numpad. Typing long phrases instead of words will also help. In theory, it should be easy to guess "Twas as a dark and stormy night" as a passphrase, but in practice, hackers won't catch it.

On the flip side, the more complex you make your password, the harder it will be for you to type it in. Try to create something as long as you can comfortably type, while still keeping in mind the techniques above.

Robert Graham is CEO of Errata Security. Special to Dark Reading[/hide]

My password was only 6 letters long its now 10 letters long and totally random :twisted:

It's sad to see how horrible people are at making passwords, especially this:

 

3.03% "123456"

 

2.13% "password"

 

 

 

Setting password to password must be the dumbest thing you could possibly do whatsoever.

 

 

 

I just don't get how people can set passwords to things like these. Personally, my passwords all involves caps, lower case, over 5 random numbers and over 8 letters (ones that you would NEVER guess. Ever.).

 

 

 

Faults in IT security are as old as IT itself though.

lol at 123456 and passord... i had no idea people were so stupid. they probably go by the theory thgat they themselves wont be targeted by hacker attempts so can chose obvious, but for them easy to remember, passwords

Meh my passwords allways come up as weak on the sercurity or whatever, yet nobody has ever hacked into anything of mine.

And I really doubt anybody will guess.

If I recall correctly the passwords were still saved as MD5 hash. That means that the passwords needed to undergo a bit of brute forcing to match the hash stored in the phpbb databases with known password hashes.

Foor example:

banana we know has an md5 hash of 72b302bf297a228a75730123efef7c41

If you have a list of hashes and their equivalent words then it would be easy to reverse the hash into a readable password. Thats why only common/dictionary words appear in the exposed list.

If you password was something like B4n@na!95 it would have an md5 hash of bb3ce5da67fc93b11d06e999bda12714 which is unlikely to be in any reverse hash lists and thus unlikely to be brute forced.

One thing that must be taken into account is the fact that a lot of people register on phpBB solely for the purpose of asking one or two questions that could pop up when they're using their board system. After that, there's nothing more to it, which means that they don't consider their account important to them.

If I ran a phpBB board and something suddenly went wrong, I'd just register on phpBB with a random username and use a very bad password just because I'm only asking one question. Afterwards the account is like trash to me, unless I might have other questions (I could just register another one too). It's also a lot easier remembering things like 123456.

Another example is if I want to download a file somewhere, and the site requires me to register. I'd of course choose a bad password for that case.

If instead something like people's paypal passwords (or some other passwords that unlock more important things) were published, I'm sure they'd be better even without complexity restrictions. Age group for paypal and phpBB should be quite similar, they aren't used so much by <13 year-olds.

Very interesting especially about that Joshua one. I saw part of that movie it was win.

Glad to know I'm only part of the 5% with my password being Hannah Montana :lol: 8-)

Wow I think I shouldn't have any problems with hackers unless a keylogger :ohnoes:.

There was a program several months ago for RS that force-guessed your passwords (you could add words/letters/combinations) and it used a proxy for every 5 guesses then changed the proxy automatically.

The most popular password was "killer" I remember reading a topic about it on a "not so rule-friendly" forum.

Quite an interesting read. Thanks.

People always assume getting hacked is one of those things that happens to "someone else". Usually the first time you get hacked, your password gets a little more secure. ;)

Very interesting especially about that Joshua one. I saw part of that movie it was win.

 

 

 

Glad to know I'm only part of the 5% with my password being Hannah Montana :lol: 8-)

i bet you 5 gee pee some noob will try to log into your account with that pass now :lol:

13 character long random password ftw, how many thousands of years would that be? :lol:

Good luck brute-forcing my random 20-character-long password! \

Some people really to think more about their security.

This is what makes me love how my password is absolute gibberish to any hacker :D

13 character long random password ftw, how many thousands of years would that be? :lol:

In rs, I'm pretty sure you can use every letter, capitalized= non capitalized, and all the numbers. So, thats 36^13 passwords. For an online attack, you can guess 1 password every ~5 seconds, and lets assume jagex removed the "you can't rapidly enter passwords" thing. Statistically, you can say you'll get it halfway through, so thats (36^13*5)/2=426454320448945520640 seconds, 296148833645101056 days, or ~8.1x10^14 years. With an offline attack, say you can do 1bil passwords/second. Same stuff as before, it'll take you (36^13/1x10^9)/2 on average. So the hacker would take ~85290864089seconds, 59229766 days, or give or take ~162,000 years.

So, depending on the hacking style, it'll be ~8.1x10^14 years (( the age of the universe is estimated to be about 1/60,000 of this btw)), or ~162,000 years on average.

The phpbb site was using the phpbb2 password encryption which was much easier to decode. The tipit board uses the phpbb3 encryption which is much more secure. Therefore what happened there probably couldn't happen here. Doesn't mean you should use easy passwords though.

This post reminded me of the book freakonomics, if anyone has read that? Although I guess most stastic analysing texts will seem similar to the untrained eye.

Interesting though =D>

apparantly they aren't mathimaticans:

65+16 (names, aren't in a dictionary) +14 (doubt asdf could be found in a dictionary :P) + 5 (from popular culture)+ >0 (passw0rd etc aren't in a dictionary either) is more than 100%

really this article seems to be very rough, and more like a popular written article (like something that could be posted on a newspaper) than something that should be taken serious!

on my very first account i made (darklink something) his password was master LMAO :twss:

i forgot the numbers to his name and never played him past tutorial island though so he is a lost account :lol:

ahhh, my password now doesn't even fit into those catagories :thumbsup:

0.28% "master"

Dang, I used to think that was a clever one since it's so random. I guess it's random to the point of everyone thinking of it.

These come from the kb:

RuneScape Password Rules:

*You can only have passwords up to 20 characters long.

*Passwords are not case sensitive, so 'HVYDG' is the same as 'hvydg' or 'HvYdG'.

*You cannot use symbols such as '!' and '%'.

Tips:

* DO NOT pick any word or number which has a connection to you, so don't pick your house number or street name, for example.

* DO NOT just use a number at the end of a word, such as HVYDG8076

* DO NOT use common number and letter substitutions e.g. 4 as the word 'for', 1 as 'L' or 'I', 5 as 'S'

* DO NOT use repeating characters 'bbbbbbbbbb' or series of characters such as 'kbkbkbkbkbkb'.

* DO NOT use your name, account name or name of an item either forwards, backwards or divided up.

* DO NOT use a series of characters off any keyboard such as 'qwerty', 'lkjhgf' or 'qazwsxedc', as these are very common and hijackers will look for these.

I'm sure most people with really crappy passwords don't really care about their account.

The whole thread was a very interesting read, thank you.

It's times like these that I'm proud of my 26-character password :P

Working for an ISP. That article was generous about how simplistic people are with passwords.