Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/6/2009
05:56 PM
Robert Graham
Robert Graham
Commentary
50%
50%

PHPBB Password Analysis

A popular Website, phpbb.com, was recently hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results.

A popular Website, phpbb.com, was recently hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results.This incident is similar to one two years ago when MySpace was hacked, revealing about 30,000 passwords. Both Wired and InfoWorld published articles analyzing the passwords.

The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords "must be between 6 and 10 characters, and contain at least 1 number or punctuation character." Most people satisfied this requirement by simply appending "1" to the ends of their passwords. The phpbb site has no such restrictions -- the passwords are shorter and rarely contain anything more than a dictionary word.

It's hard to judge exactly how many passwords are dictionary words. A lot of words, like "xbox" or "pokemon," are clearly words, but aren't in an English dictionary. I ran the phpbb passwords through various dictionary files and come up with a 65% match (for a simple English dictionary) and 94% (for "hacker" dictionaries). The dictionary words were overwhelmingly simple ones, like "apple" or "orange," rather than complex words like "pomegranate."

16% of passwords matched a person's first name. This includes people choosing their own first names or those of their spouses or children. The most popular first names were Joshua, Thomas, Michael, and Charlie. But I wonder if there is something else going on. Joshua, for example, was also the password to the computer in "Wargames," which almost certainly accounts for it being at top. Variations of the name "Jordan" are popular, which almost certainly refers to "Michael Jordan," a prominent basketball start (such as "jordan23," referring to his jersey number). This makes me wonder how many people use "Michael" as a password to refer to their children compared to sports stars.

14% of passwords were patterns on the keyboard, like "1234," "qwerty," or "asdf." There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e." I spent a while googling "159357," trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among righthanded people, "159357" will be popular among lefties.

4% are variations of the word "password," such as "passw0rd," "password1," or "passwd." I googled "drowssap," trying to figure out how to categorize it, until I realized it was "password" spelled backward.

5% of passwords are pop-culture references from TV, movies, and music. These tend to be youth culture ("hannah," "pokemon," "tigger") and geeky ("klingon," "starwars," "matrix," "legolas," "ironman"). Music, though, appears to have a much broader age demographic, with a lot of old bands, like "ironmaiden." Some notable pop-culture references are chosen not because they are popular, but because they sound like passwords, such as "ou812" ('80s Van Halen album), "blink182" ('90s pop), "rush2112" ('80s album), and "8675309" ('80s pop song).

4% of passwords appear to reference things nearby. The name "samsung" is a popular password, I think because it's the brand name on the monitor that people are looking at (I have two in front of me right now). Similarly, there are a lot of names of home computers like "dell," "packard," "apple," "pavilion," "presario," "compaq," and so on. It's hard to figure out what belongs in this category, though. Is "cocacola" a popular password because there is a can of coke on their desks? Or just because it's a well-known name? In any event, "cocacola" appears to be more popular than "pepsi" among those who choose passwords.

3% of passwords are "emo" words. Swear words, especially the F-word, are common, but so are various forms of love and hate (like "iloveyou" or "ihateyou").

3% are "don't care" words. I've always thought that dialogs, like Microsoft's UAC, should have a button labeled "whatever." When prompted with, "This program may contain a virus, do you want to run it?" instead of having two buttons, "YES" or "NO", dialogs should contain a third button labeled "WHATEVER" or "I DON'T CARE." A lot of password choices reflect this attitude, either implicitly with "abc123" or "blahblah," or explicitly with "whatever," "whocares," or "nothing."

1.3% are passwords people saw in movies/TV. This is a small category, consisting only of "letmein," "trustno1," "joshua," and "monkey," but it accounts for a large percentage of passwords.

1% are sports related. I'm not a sports fan so I'm unlikely to recognize a lot them and categorize them correctly. The U.S. has a lot of popular sports, a lot of teams, and a lot of stars. This breadth means that no particular name is very popular, but in other countries, they become more concentrated. For example, in the U.K., the popular soccer teams, "arsenal" and "liverpool," are regularly in the Top 10 lists of passwords.

Here is the top 20 passwords from the phpbb dataset. You'll find nothing surprising here; all of them are on this Top 500 list.

    3.03% "123456" 2.13% "password" 1.45% "phpbb" 0.91% "qwerty" 0.82% "12345" 0.59% "12345678" 0.58% "letmein" 0.53% "1234" 0.50% "test" 0.43% "123" 0.36% "trustno1" 0.33% "dragon" 0.31% "abc123" 0.31% "123456789" 0.31% "111111" 0.30% "hello" 0.30% "monkey" 0.28% "master" 0.22% "killer" 0.22% "123123"

Notice that whereas "myspace1" was one of the most popular passwords in the MySpace dataset, "phpbb" is one of the most popular passwords in the phpbb dataset.

I'm interested why "dragon," "master," and "killer" made the list. They appear prominently in other password lists, too. I have no explanation for their popularity.

The password length distribution is as follows:

    1 character 0.34% 2 characters 0.54% 3 characters 2.92% 4 characters 12.29% 5 characters 13.29% 6 characters 35.16% 7 characters 14.60% 8 characters 15.50% 9 characters 3.81% 10 characters 1.14% 11 characters 0.22%

Note that phpbb has no requirements for password lengths, so people tend to choose shorter passwords than for sites like MySpace.

Update: Ashley Pinner wrote to tell me that phpBB3 uses the newer salted-passwords that require a minimum of six characters, and that anybody who has logged in since the change has had their accounts upgraded to the new hashing scheme. This means if you have logged into phpbb.com recently, then your password is less likely to have been stolen.

Update: A lot of left-handed people have told me that they use their right hand for the mouse, and therefore my theory about "159357" is incorrect.

Robert Graham is CEO of Errata Security. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25250
PUBLISHED: 2021-04-13
An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privil...
CVE-2021-25253
PUBLISHED: 2021-04-13
An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to exec...
CVE-2021-28645
PUBLISHED: 2021-04-13
An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target ...
CVE-2021-28646
PUBLISHED: 2021-04-13
An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to take control of a specific log file on affected installations.
CVE-2021-28647
PUBLISHED: 2021-04-13
Trend Micro Password Manager version 5 (Consumer) is vulnerable to a DLL Hijacking vulnerability which could allow an attacker to inject a malicious DLL file during the installation progress and could execute a malicious program each time a user installs a program.