Dailydave mailing list archives

Re: phpbb.com hacked...

From: Robert Graham <robert_david_graham () yahoo com>
Date: Sat, 7 Feb 2009 11:16:03 -0800 (PST)


Oh, yea, there are lots of problems with the dataset, that's just one potential problem. My analysis should be viewed 
as one datapoint in the field of password analysis rather than an authoritative assessment of all passwords.

The passwords come with user information. That information looks what I expect from legitimate users rather than what I 
see as spammers on PHPbb style forums. Thus, the numbers may be skewed by spammers, but I think it largely reflects 
normal users.


--- On Sat, 2/7/09, Robert Lemos <mail () robertlemos com> wrote:

From: Robert Lemos <mail () robertlemos com>
Subject: Re: [Dailydave] phpbb.com hacked...
To: robert_david_graham () yahoo com
Cc: "dailydave" <dailydave () lists immunitysec com>, "Dave Aitel" <dave.aitel () gmail com>
Date: Saturday, February 7, 2009, 4:41 AM
Did you take into account that about half the accounts
appeared to be spammers, according to the post by the guy
who hacked the site? (He found 400,000 accounts, but there
are only 200,000 members.)

So, in fact, the 28,000 passwords he decrypted may only be
spam accounts, or a significant fraction of them are, which
could be the reason your results are skewed toward simple
passwords. Just an alternative explanation...

-R

On Feb 6, 2009, at 6:12 PM, Robert Graham wrote:


I ran the passwords through an analysis program to

gather statistics on them. I posted a summary of the results
here:

http://www.darkreading.com/blog/archives/2009/02/phpbb_password.html


35% of passwords are 6-characters. Here is the top 20

list:


Here is the top 20 passwords from the phpbb dataset:
3.03% "123456"
2.13% "password"
1.45% "phpbb"
0.91% "qwerty"
0.82% "12345"
0.59% "12345678"
0.58% "letmein"
0.53% "1234"
0.50% "test"
0.43% "123"
0.36% "trustno1"
0.33% "dragon"
0.31% "abc123"
0.31% "123456789"
0.31% "111111"
0.30% "hello"
0.30% "monkey"
0.28% "master"
0.22% "killer"
0.22% "123123"

Why are "dragon", "master", and

"killer" so popular? Since the phpbb dataset
includes e-mail addresses, I'm thinking of e-mailing the
people and ask them why they chose that particular password.
Likewise, while I know that "trustno1" was a
password used in the X-Files, I forget where
"letmein" and "monkey" come from (I know
they were used in movies/tv, I just forget which ones).

| robert lemos | mail () robertlemos com |
| science & technology journalist |
| http://www.robertlemos.com |



      
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

phpbb.com hacked... Dave Aitel (Feb 04)
- Re: phpbb.com hacked... Robert Graham (Feb 06)
- Re: phpbb.com hacked... Jeremie Le Hen (Feb 27)
  - Re: phpbb.com hacked... Ary Kokos (Feb 27)
    - Re: phpbb.com hacked... Martin Zember (Feb 27)
- <Possible follow-ups>
- Re: phpbb.com hacked... Robert Graham (Feb 07)
- Re: phpbb.com hacked... Juha-Matti Laurio (Feb 27)
  - Re: phpbb.com hacked... Fyodor (Feb 27)