PHPBB Password Analysis

Posted by Robert Graham, Feb 6, 2009 05:56 PM

A popular Website, phpbb.com, was recently hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results.

This incident is similar to one two years ago when MySpace was hacked, revealing about 30,000 passwords. Both Wired and InfoWorld published articles analyzing the passwords.

The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords "must be between 6 and 10 characters, and contain at least 1 number or punctuation character." Most people satisfied this requirement by simply appending "1" to the ends of their passwords. The phpbb site has no such restrictions -- the passwords are shorter and rarely contain anything more than a dictionary word.

It's hard to judge exactly how many passwords are dictionary words. A lot of words, like "xbox" or "pokemon," are clearly words, but aren't in an English dictionary. I ran the phpbb passwords through various dictionary files and come up with a 65% match (for a simple English dictionary) and 94% (for "hacker" dictionaries). The dictionary words were overwhelmingly simple ones, like "apple" or "orange," rather than complex words like "pomegranate."

16% of passwords matched a person's first name. This includes people choosing their own first names or those of their spouses or children. The most popular first names were Joshua, Thomas, Michael, and Charlie. But I wonder if there is something else going on. Joshua, for example, was also the password to the computer in "Wargames," which almost certainly accounts for it being at top. Variations of the name "Jordan" are popular, which almost certainly refers to "Michael Jordan," a prominent basketball start (such as "jordan23," referring to his jersey number). This makes me wonder how many people use "Michael" as a password to refer to their children compared to sports stars.

14% of passwords were patterns on the keyboard, like "1234," "qwerty," or "asdf." There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e." I spent a while googling "159357," trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among righthanded people, "159357" will be popular among lefties.

4% are variations of the word "password," such as "passw0rd," "password1," or "passwd." I googled "drowssap," trying to figure out how to categorize it, until I realized it was "password" spelled backward.

5% of passwords are pop-culture references from TV, movies, and music. These tend to be youth culture ("hannah," "pokemon," "tigger") and geeky ("klingon," "starwars," "matrix," "legolas," "ironman"). Music, though, appears to have a much broader age demographic, with a lot of old bands, like "ironmaiden." Some notable pop-culture references are chosen not because they are popular, but because they sound like passwords, such as "ou812" ('80s Van Halen album), "blink182" ('90s pop), "rush2112" ('80s album), and "8675309" ('80s pop song).

4% of passwords appear to reference things nearby. The name "samsung" is a popular password, I think because it's the brand name on the monitor that people are looking at (I have two in front of me right now). Similarly, there are a lot of names of home computers like "dell," "packard," "apple," "pavilion," "presario," "compaq," and so on. It's hard to figure out what belongs in this category, though. Is "cocacola" a popular password because there is a can of coke on their desks? Or just because it's a well-known name? In any event, "cocacola" appears to be more popular than "pepsi" among those who choose passwords.

3% of passwords are "emo" words. Swear words, especially the F-word, are common, but so are various forms of love and hate (like "iloveyou" or "ihateyou").

3% are "don't care" words. I've always thought that dialogs, like Microsoft's UAC, should have a button labeled "whatever." When prompted with, "This program may contain a virus, do you want to run it?" instead of having two buttons, "YES" or "NO", dialogs should contain a third button labeled "WHATEVER" or "I DON'T CARE." A lot of password choices reflect this attitude, either implicitly with "abc123" or "blahblah," or explicitly with "whatever," "whocares," or "nothing."

1.3% are passwords people saw in movies/TV. This is a small category, consisting only of "letmein," "trustno1," "joshua," and "monkey," but it accounts for a large percentage of passwords.

1% are sports related. I'm not a sports fan so I'm unlikely to recognize a lot them and categorize them correctly. The U.S. has a lot of popular sports, a lot of teams, and a lot of stars. This breadth means that no particular name is very popular, but in other countries, they become more concentrated. For example, in the U.K., the popular soccer teams, "arsenal" and "liverpool," are regularly in the Top 10 lists of passwords.

Here is the top 20 passwords from the phpbb dataset. You'll find nothing surprising here; all of them are on this Top 500 list.

3.03% "123456"
2.13% "password"
1.45% "phpbb"
0.91% "qwerty"
0.82% "12345"
0.59% "12345678"
0.58% "letmein"
0.53% "1234"
0.50% "test"
0.43% "123"
0.36% "trustno1"
0.33% "dragon"
0.31% "abc123"
0.31% "123456789"
0.31% "111111"
0.30% "hello"
0.30% "monkey"
0.28% "master"
0.22% "killer"
0.22% "123123"

Notice that whereas "myspace1" was one of the most popular passwords in the MySpace dataset, "phpbb" is one of the most popular passwords in the phpbb dataset.

I'm interested why "dragon," "master," and "killer" made the list. They appear prominently in other password lists, too. I have no explanation for their popularity.

The password length distribution is as follows:

1 character 0.34%
2 characters 0.54%
3 characters 2.92%
4 characters 12.29%
5 characters 13.29%
6 characters 35.16%
7 characters 14.60%
8 characters 15.50%
9 characters 3.81%
10 characters 1.14%
11 characters 0.22%

Note that phpbb has no requirements for password lengths, so people tend to choose shorter passwords than for sites like MySpace.

Update: Ashley Pinner wrote to tell me that phpBB3 uses the newer salted-passwords that require a minimum of six characters, and that anybody who has logged in since the change has had their accounts upgraded to the new hashing scheme. This means if you have logged into phpbb.com recently, then your password is less likely to have been stolen.

Update: A lot of left-handed people have told me that they use their right hand for the mouse, and therefore my theory about "159357" is incorrect.

I'm interested why "dragon," "master," and "killer" made the list. They appear prominently in other password lists, too. I have no explanation for their popularity.
This may be passwords generated by gamers.
Dragon, Dragon Master, Master, & Killer are popular with the RPG, Massive RPG & first person shooter gamers.
At least this is my guess.

Needless to say, if your password matches any one of the ones listed above... CHANGE IT!! :eek:

A few years ago I converted to using pass phrases, instead of pass words. Words are too easy to guess, as you have shown here. On the other hand, having a phrase (basically a sentence) is easier to remember and is generally far longer, so harder to guess or hack. If you misspell a word or two it makes it even harder. For example - "fluffy iz puffy". That would be a hard password to break by brute force. A great source for misspelled words is young kids. Just look at some stuff they write and you'll get a wealth of ideas.

When I signed up to get my TWIC card, they run your password choice through a filter that will words and close to words.

I look around my computer room looking for something in print. I then that the word and modify the word using upper or lower alphabet letters, if the letter triggers a number thought I then change the letter to a number, then I use punctuation marks. Most of my passwords are 8 characters long or longer and no two are in any way similar. I have hundreds of passwords. I am in deep doo doo if anyone finds my password book.

I could tell you guys how I come up with my passwords, but then I would have to kill you. :p

. . . I am in deep doo doo if anyone finds my password book.
Do other people write them down? I keep them in my head, but that means I tend to use the same ones in different places.

This is a pet peeve of mine ... I hate the number of passwords and the frequency of changing them. Some government sites require you to not use any "dictionary word", including any three letter word that might be in the dictionary in the middle of your password. You have to include one of nine special characters, upper and lower case letters, and numbers, and it must be at least 8 characters long.

The average person is forced to write down their passwords, defeating the purpose of a password in the first place.

And I wonder how many passwords are really defeated by hackers using "brute force" or are like the example given, where the software itself was hacked (phpBB encrypts the passwords for the Admin people, so they are not in "plain sight" even if you had admin access). FTP programs send their passwords in plain text, as do most "Thank you for joining our site!" emails. It doesn't matter how complex you make your password if someone is sniffing them out by snatching packets containing FTP sessions or emails.

Do other people write them down? I keep them in my head, but that means I tend to use the same ones in different places.

I have "hints" that I write down ... "standard complex with dog's name and ampersand appended" is one. "Standard complex" is a base password that is 10 characters long, includes numbers, letters (both upper and lowercase) and punctuation marks that I have memorized. Having to change passwords at work every 90 days, at government sites every 60 days, etc. means I'm constantly needing a reminder.

When I retire, I'm going to smash all my computers and start drinking whiskey out of a paper bag!

I select passphrases in a language I made up. :)

I dont have anything worth protecting

. . . When I retire, I'm going to smash all my computers and start drinking whiskey out of a paper bag!
But won't you miss us? I'll just be drinking Diet Coke, but I'll put it in a bag so nobody knows.

I just got back from San Diego where I worked the Open Group security conference. Getting a hold of a password is really only half the battle. The other half is getting a user name to go with it. Unfortunately with the way things are done in most IT departments even a below average hacker can achieve a 65% success rate without breaking a sweat if they can get to a user/pass prompt just by using an initial and a random last name like rlightfoot.

Dark Helmet (http://www.imdb.com/name/nm0001548/): So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!


http://www.ladyrattlerathletics.com/dark%20helmet.jpg

President Skroob (http://www.imdb.com/name/nm0000316/): [enters after the interrogation of King Roland] Well? Did it work? Where's the king?
Dark Helmet (http://www.imdb.com/name/nm0001548/): It worked, sir. We have the combination.
President Skroob (http://www.imdb.com/name/nm0000316/): Great. Now we can take every last breath of fresh air from planet Druidia. What's the combination?
Dark Helmet (http://www.imdb.com/name/nm0001548/): 1 2 3 4 5.
President Skroob (http://www.imdb.com/name/nm0000316/): 1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Prepare Spaceball 1 for immediate departure!
Dark Helmet (http://www.imdb.com/name/nm0001548/): Yes, sir!
President Skroob (http://www.imdb.com/name/nm0000316/): And change the combination on my luggage!


http://www.melamed.org/images/spaceballs.jpg

Do other people write them down? I keep them in my head, but that means I tend to use the same ones in different places.

I never write them down. When we have to supply "keys" at work, we write it on a post-it and hold it up to the person who needs it. Then we take the post-it with us when we walk away and destroy it.

It's their problem if they write things down (we yell at them if they start writing in front of us) or choose to share. Most people on my team have an almost involuntary "look away" reflex when someone we are helping is typing a username or password ;-)

I was never so shocked as when I was given the passwords I needed to work on a system for a certain agency that puts people in space. No, I won't share but it was amazingly dumb.

I select passphrases in a language I made up. :)

Heyyyyy, I like that :)

But won't you miss us? I'll just be drinking Diet Coke, but I'll put it in a bag so nobody knows.

I had to give up Diet Coke because of the acid in it ... getting old, I guess ... so it's whiskey for me! ;)

Well bust my buttons!
None of those refer to what I use as my passwords.
.
.
.
.
.
Oh darn! I just gave away my password, "Passwords" :(

Oh darn! I just gave away my password, "Passwords" :(

Sonny, That can't be your password, it's MY password.

Bob, thanks for posting this interesting piece.

You can always buy a inexpensive fingerprint hardware that allows your finger as the password ( not the finger you were thinking of) . I believe there around $20.

After this thread....I wonder how many folks are scrambling to change their passwords?:confused:

I would, but I can't remember my password to change my password! :D

Just so everyone feels safe, our DoD pass phrases have incredible requirements.

For my networked computer a user is required to have their ID card which is embedded with a security chip (loaded with their clearance certificates), enter their correct 6-14 digit pin, enter their specific user name, and then a 14+ alpha-numeric pass phrase that must include at least 2 numbers and 2 special symbols and no be a dictionary term. This is not even my classified machine.

Oh, and the pass phrases have to change ever 60 days. On certain systems your user name changes as well.

I was chatting with an IT guy. Before they came up with a password dictionary (list of prohibited words) he said the most common one he saw was "Jesus saves"

I have found that maps of foreign countries yield alot of city and town names that make excellent passwords.
Example: find city names in Sweden/Norway per this link at Geographic Guide (http://www.geographicguide.net/europe/maps-europe/norway-map.htm)
Sundsvall
Kiruna
Narvik

Then change the spelling slightly to prevent easy discovery.
Soondsvall
Kiruuna
Narrvik

Its an easy way, and it mght make you feel better about your heritage.
:)

One of my favorite ways to create a password is to come up with a 6 digit one handed combination and then hold the shift key and type it again. Throw in a number or 2 and you get really complicated password that is easy to remember.

Example I just came up with for the left hand: tr345vTR#$%V

right hand could be: jk78l.JK&*L>

You learn it fast because you are typing it twice all the time. It is also easy to change when those pesky admins force you to enter a new password every 3 months... Hold the shift key first then unshift. Same password to you, way different to the OS.

You could of course do a similar combination with less letters but 12 is going to be *almost* impossible to hack.

And no, I use neither of these passwords... :D

Bryan

I'm an IT consultant. I've worked in all kinds of industries and companies - some with very rigorous password requirements. It never ceases to amaze me how many of my IT brethren write their password down on a piece of paper and leave it in the top drawer of their desk.

If you're on one of my teams and I find out about it, I wait till you go to lunch and then change your password. Usually to something like dumba$$.

And I thought I was being clever with "dragon" since my motherboard is a Soyo KT600 Dragon which by the way is a "Dinosaur" now...Hey, maybe I'll change it to that, nobody reads this far into a thread anyway

I'm an IT consultant. I've worked in all kinds of industries and companies - some with very rigorous password requirements. It never ceases to amaze me how many of my IT brethren write their password down on a piece of paper and leave it in the top drawer of their desk.

If you're on one of my teams and I find out about it, I wait till you go to lunch and then change your password. Usually to something like dumba$$.

The more complex the password has to be, the more likely it will be written down somewhere near the computer. This is the fault of those that insist on complex passwords.

So the question has to be: what is the password designed to do?

Everyone wants complex passwords to prevent "dictionary words" from falling to brute force attacks from virtual intruders, but how often does that really happen? On my server, if you try a certain number of times to enter a password and fail, your IP address gets locked out. Occasionally I'll have a customer who needs to get their IP address unblocked because they changed something in their FTP program. You'll never get through the dictionary to break a password when the server locks you out. So the complex password rules aren't necessary.

"elvissings" is as good a password as "()jlYgh@(&" in that case.

If the password is to prevent actual physical hacking where the bad guy is at the same physical location, a simple password that someone can actually remember is better than a complex string of characters that has to be written down and pasted on a sticky note on the monitor.

All the cases I hear about that are the virtual attacker are from things like sniffing the passwords in clear text in email, FTP programs, etc., either on the net or by a guy with a laptop in your parking lot (who has picked up an unsecured wireless network). That's how TJ Max's credit card database was hacked.

And all the cases within companies I hear about are from people sharing their logins, or having a complex password written down.

Frank, those were some very good points there. There's one more I'll throw into the mix, if a good password is important to you. Years ago, when I was in school, generally using only computers in a computer-lab setting, I would "test" my new passwords as to how fast I could type them--reducing the chance of someone snagging it by looking over my shoulder (I knew a few guys who would do this for fun). The fastest passwords were ones where the letters more or less alternated between hands (so "fastest", for instance would be a poor choice). At the very least, no two consecutive letters could be input by the same finger, so actually, "dinosaur" wouldn't have been that bad as a password, except that one other thing I would do is misspell (in a non-typographic-error way) the word.

Frank, those were some very good points there. There's one more I'll throw into the mix, if a good password is important to you. Years ago, when I was in school, generally using only computers in a computer-lab setting, I would "test" my new passwords as to how fast I could type them--reducing the chance of someone snagging it by looking over my shoulder (I knew a few guys who would do this for fun). The fastest passwords were ones where the letters more or less alternated between hands (so "fastest", for instance would be a poor choice). At the very least, no two consecutive letters could be input by the same finger, so actually, "dinosaur" wouldn't have been that bad as a password, except that one other thing I would do is misspell (in a non-typographic-error way) the word.

Length also helps in that case; people have a harder time remembering a 16 character string than one that is five or six characters in length.

I'd like to see some stats about how passwords are really compromised. In the case that started this thread, it was access to the server and not through a regular user's password. So while the original author was dissing all the users who could have their profiles mangled or inappropriate posts put on the BBS under their name, the attack and compromise of the system to get at all of those passwords had to come at a level much higher than those users.

So even if we made every user of phpBB input a 16 digit, non-dictionary word mixed case with special characters and at least three non-consecutive numbers, the problem would have still happened.

Dissing users for simple passwords to post on a forum is like complaining that people in rural areas without crime don't have bars on their windows and doors.

Now, for your bank password, Paypal, or others, you should come up with an easy to remember complex passphrase. But chances are you won't be hacked because someone comes up with the passphrase ... more likely, the bank's system will be compromised internally or through bad software that allows a hacker to get at the underlying database, extract all the passwords and run them through a decyption routine to print them out.

Every case I have heard of where sensitive information is being compromised has been on that end. Not an "easily guessed password" by a user.