Recently, a popular website "phpbb.com" was hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals, because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results.

This incident is similar to one two years ago when MySpace was hacked, revealing about 30,000 passwords. Both Wired and InfoWorld published articles analyzing the passwords.

The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords "must be between 6 and 10 characters, and contain at least 1 number or punctuation character". Most people satisfied this requirement by simply appending '1' to the end of their passwords. The phpbb site has no such restrictions, the passwords are shorter and rarely contain anything more than a dictionary word.

It's hard to judge exactly how many passwords are dictionary words. A lot of things like "xbox" or "pokemon" are clearly words, but not in an English dictionary. I ran the phpbb passwords through various dictionary files, and come up with a 65% match (for a simple English dictionary) and 94% (for "hacker" dictionaries). The dictionary words were overwhelmingly simple things, like "apple" or "orange", rather than complex words like "pomegranate".