The popular free bulletin board software site phpbb.com had its user database hacked into and the passwords for 20,000 members stolen. The hacker who broke in then posted the account info and passwords online for the world to see.
InformationWeek analyzed the hacked password list and found a number of interesting trends in the data, primarily revolving around the fact that most people do exactly what they’ve been told not to do since passwords were first invented.
Homepage at phpbb.com
Author/analyst Robert Graham has tons of analysis on offer. I’m ordering my favorite/most enlightening data points from the piece here, starting with the most interesting. On thing to remember: These passwords are from a group of people interested in computer programming, so if anyone should know better, it’s these guys.
- The most popular password (3.03% of the 20,000) was “123456.” It’s also generally considered the most common password used today.
- 4 percent used some variant of the word “password.” Seriously, people, there’s no excuse for this one. “password” was the 2nd most popular password used, also in keeping with historical trends.
- 16 percent of passwords were a person’s first name. No word on if it was their first name, but someone’s. Joshua is the most commonly used first-name password, a likely reference to the movie WarGames.
- Patterns abound. In addition to “123456,” other pattens like “12345, “qwerty,” and “abc123” were common, comprising 14 percent of the passwords used.
- 35 percent of passwords were six characters long. 0.34 percent were only one character long.
- For reasons no one can explain, “dragon,” “master,” and “killer” all crack the top 20 passwords. (On the top 500 password list linked above, “dragon” is #7.)
One thing Graham doesn’t discuss is that phpbb.com is really just a message board, and many users may simply have not cared about the security of their passwords here (unlike, say, with a bank account).
A good hacker has most of those in their Dictionary file.
The lesson here is– keep your Server updated!!!
This was a known exploit.
Brad
It was not a known exploit; the attack happened within hours of the vulnerability getting posted on Milw0rm.
Also, the password sample is flawed, as the attacker was only able to read the old and weak passwords. Essentially, a list of weak passwords was analyzed with the surprising result that they are weak.
Password strength could have avoided this and it’s something that should be implemented where a user must use at least 8 characters with at least one number and one special character.