Create an Account
username: password:
 
  MemeStreams Logo

PHPBB Password Analysis

search

Worthersee
Picture of Worthersee
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Worthersee's topics
Arts
Business
Games
Health and Wellness
Home and Garden
Miscellaneous
Current Events
Recreation
Local Information
Science
Society
Sports
Technology

support us

Get MemeStreams Stuff!


 
PHPBB Password Analysis
Topic: Technology 2:38 pm EST, Feb  7, 2009

Recently, a popular website "phpbb.com" was hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals, because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results.

This incident is similar to one two years ago when MySpace was hacked, revealing about 30,000 passwords. Both Wired and InfoWorld published articles analyzing the passwords.

The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords "must be between 6 and 10 characters, and contain at least 1 number or punctuation character". Most people satisfied this requirement by simply appending '1' to the end of their passwords. The phpbb site has no such restrictions, the passwords are shorter and rarely contain anything more than a dictionary word.

It's hard to judge exactly how many passwords are dictionary words. A lot of things like "xbox" or "pokemon" are clearly words, but not in an English dictionary. I ran the phpbb passwords through various dictionary files, and come up with a 65% match (for a simple English dictionary) and 94% (for "hacker" dictionaries). The dictionary words were overwhelmingly simple things, like "apple" or "orange", rather than complex words like "pomegranate".

PHPBB Password Analysis



 
 
Powered By Industrial Memetics
RSS2.0