Enigma Group's Hacking Forum



User Info
Welcome, Guest. Please login or register.
July 05, 2015, 08:50:53 AM

Login with username, password and session length
Search:     Advanced search
News
Think you can hack? Test your knowledge on Enigma Group's 170+ missions. Need to talk to a real person? Try our
chat server.
Forum Stats
46782 Posts in 5917 Topics by 32999 Members
Latest Member: Michael4
Enigma Group's Hacking Forum  |  General  |  General Computing  |  Hacking News  |  PHPBB Password Analysis
« previous next »
Pages: [1] Print
Author Topic: PHPBB Password Analysis  (Read 5765 times)
Ausome1
Administrator
Elite
*****
Instant Messenger
Offline Offline

Posts: 2714
  • Respect: +4


  • Private Tunnels
    « on: February 07, 2009, 04:06:22 PM »
    0

    PHPBB Password Analysis

    Posted by Robert Graham, Feb 6, 2009 05:56 PM

    Recently, a popular website "phpbb.com" was hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals, because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results.

    This incident is similar to one two years ago when MySpace was hacked, revealing about 30,000 passwords. Both Wired and InfoWorld published articles analyzing the passwords.

    The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords "must be between 6 and 10 characters, and contain at least 1 number or punctuation character". Most people satisfied this requirement by simply appending '1' to the end of their passwords. The phpbb site has no such restrictions, the passwords are shorter and rarely contain anything more than a dictionary word.

    It's hard to judge exactly how many passwords are dictionary words. A lot of things like "xbox" or "pokemon" are clearly words, but not in an English dictionary. I ran the phpbb passwords through various dictionary files, and come up with a 65% match (for a simple English dictionary) and 94% (for "hacker" dictionaries). The dictionary words were overwhelmingly simple things, like "apple" or "orange", rather than complex words like "pomegranate".

    16% of passwords matched a person's first name. This includes people choosing their own first name, their spouse, or child. The most popular first names were Joshua, Thomas, Michael, and Charlie. These are popular first names, but I wonder if there is something else going on. Joshua, for example, was also the password to the computer in "Wargames", which almost certainly accounts for it being top. Variations of the word "jordan" are popular, which almost certainly refers to "Michael Jordan", a prominent basketball start (such as "jordan23", referring to his jersey number). This makes me wonder how many people use "michael" as a password to refer to their children compared to sports stars.

    14% of passwords were patterns on the keyboard, like "1234" or "qwerty" or "asdf". There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e". I spent a while googling "159357" trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among right-hand people, "159357" will be popular among lefties.

    4% are variations of the word "password", such as "passw0rd", "password1", or "passwd". I googled "drowssap" trying to figure out how to categorize it, until I realized it was "password" spelled backwards.

    5% of passwords are pop-culture references from TV, movies, and music. These tend to be youth culture ("hannah", "pokemon", "tigger") and geeky ("klingon", "starwars", "matrix", "legolas", "ironman"). Music, though, appears to have a much broader age demographics, with a lot of old bands like "ironmaiden". Some notable pop-culture references are chosen not because they are popular, but because they sound like passwords, such as "ou812" (80s Van Halen album), "blink182" (90s pop), "rush2112" (80s album), and "8675309" (80s pop song).

    4% of passwords appear to reference things nearby. The name "samsung" is a popular password, I think this is because it's the brand name on the monitor that people are looking at (I've got two Samsung monitors in front of me right now). Similarly, there are a lot of names of home computers like "dell", "packard", "apple", "pavilion", "presario", "compaq", and so on. It's hard to figure out what belongs in this category, though. Is "cocacola" a popular password because there is a can of coke on their desk? Or just because it's a well-known name? In any event, "cocacola" appears to be more popular than "pepsi" among those who choose passwords.

    3% of passwords are "emo" words. Swear words, especially the f-word are common, but so are various forms of love and hate (like "iloveyou" or "ihateyou").

    3% are 'don't care' words. I've always thought that dialogs, like Microsoft's UAC, should have a button labeled "whatever". When prompted with "This program may contain a virus, do you want to run it?", instead of having two buttons "YES" or "NO", dialogs should contain a third button labeled "WHATEVER" or "I DON'T CARE". A lot of password choices reflect this attitude, either implicitly with "abc123" or "blahblah", or explicitly with "whatever", "whocares", or "nothing".

    1.3% are passwords people saw in movies/TV. This is a small category, consisting only of "letmein", "trustno1", "joshua", and "monkey", but it accounts for a large percentage of passwords.

    1% are sports related, at least. I'm not a sports fan so I'm unlikely to recognize a lot them and categorize them correctly. The US has a lot of popular sports, a lot of teams, and a lot of stars. This breadth means that no particular name is very popular, but in other countries, they become more concentrated. For example, in the UK, the popular soccer teams "arsenal" and "liverpool" are regularly in the Top 10 lists of passwords.

    Here is the top 20 passwords from the phpbb dataset. You'll find nothing surprising here, all of them are on this Top 500 list.
    3.03% "123456"
    2.13% "password"
    1.45% "phpbb"
    0.91% "qwerty"
    0.82% "12345"
    0.59% "12345678"
    0.58% "letmein"
    0.53% "1234"
    0.50% "test"
    0.43% "123"
    0.36% "trustno1"
    0.33% "dragon"
    0.31% "abc123"
    0.31% "123456789"
    0.31% "111111"
    0.30% "hello"
    0.30% "monkey"
    0.28% "master"
    0.22% "killer"
    0.22% "123123"

    Notice that whereas "myspace1" was one of the most popular passwords in the MySpace dataset, "phpbb" is one of the most popular passwords in the phpbb dataset.

    I'm interested why "dragon", "master", and "killer" made the list. They appear prominently in other password lists, too. I have no explanation for their popularity.

    The password length distribution is as follows:

    1 character 0.34%
    2 characters 0.54%
    3 characters 2.92%
    4 characters 12.29%
    5 characters 13.29%
    6 characters 35.16%
    7 characters 14.60%
    8 characters 15.50%
    9 characters 3.81%
    10 characters 1.14%
    11 characters 0.22%

    Note that phpbb has no requirements for password lengths, so people tend to choose shorter passwords than for sites like MySpace.

    Update: Ashley Pinner wrote to tell me that phpBB3 uses the newer salted-passwords that require a minimum of 6 characters, and that anybody who has logged in since the change has had their accounts upgraded to the new hashing scheme. This means if you have logged into phpbb.com recently, your password is less likely to have been stolen.

    Update: A lot of left-handed people have told me that they use their right-hand for the mouse, and therefore my theory about "159357" is incorrect.
    Logged
    Never take two clocks to sea. Take one or three.

    Q: HOW DO YOU ANNOY A WEB DEVELOPER?
    winkleer
    Guest
    « Reply #1 on: February 07, 2009, 04:19:35 PM »
    0

    Very interesting read.

    Quote
    I suppose whereas "1234" is popular among right-hand people, "159357" will be popular among lefties.

    wait...  thats not right.
    Logged
    ishkur88
    Guest
    « Reply #2 on: February 07, 2009, 05:20:25 PM »
    0

    Yeah I don't know where he got that from. Seems like it should be the other way around, to me at least.
    Logged
    winkleer
    Guest
    « Reply #3 on: February 07, 2009, 06:33:31 PM »
    0

    unless he thinks people type one handed with the other hand on the mouse...

    i do tend to use keyboard patterns as passwords though :p
    like if its something i don't care too much about, or testing
    « Last Edit: February 07, 2009, 06:40:55 PM by winkleer » Logged
    RedEvolution
    Veteran Member
    Sr. Member
    ***
    Instant Messenger
    Offline Offline

    Posts: 377
  • Respect: 0


  • « Reply #4 on: February 07, 2009, 06:41:30 PM »
    0

    Quote
    Update: A lot of left-handed people have told me that they use their right-hand for the mouse, and therefore my theory about "159357" is incorrect.

    I personally am left-handed, and I use my right hand to use the mouse.
    Logged
    <Captain_Hindsight1> next commenter is gay
    <st3alth> i could try if u want
    <st3alth> no
    <RedEvolution> lol
    <Captain_Hindsight1> LOL
    <st3alth> no
    <RedEvolution> yup
    <st3alth> im not
    <RedEvolution> you admitted it
    <st3alth> i was typing while he said that
    <RedEvolution> mhm, sure
    <st3alth> doesnt count
    <RedEvolution> i have a new sig
    <st3alth> no
    <RedEvolution> ty ^^
    <st3alth> no
    <st3alth> fuck
    haZed
    Elite
    ********
    Instant Messenger
    Offline Offline

    Posts: 1717
  • Respect: +1


  • ::1/128

    Hakipedia
    « Reply #5 on: February 07, 2009, 11:32:01 PM »
    0

    For those of you that want to read about how he did it, and get password lists and whatnot, see here:
    Code: [Select]
    http://hackedphpbb.blogspot.com/
    Logged
    haZed
    Elite
    ********
    Instant Messenger
    Offline Offline

    Posts: 1717
  • Respect: +1


  • ::1/128

    Hakipedia
    « Reply #6 on: February 07, 2009, 11:41:50 PM »
    0

    3.03% "123456"
    2.13% "password"
    1.45% "phpbb"
    0.91% "qwerty"
    0.82% "12345"
    0.59% "12345678"
    0.58% "letmein"
    0.53% "1234"
    0.50% "test"
    0.43% "123"

    The top 11, at least, are all bung passwords. People don't want to use their real passwords on sites like these. I do the same sometimes.
    Logged
    ishkur88
    Guest
    « Reply #7 on: February 07, 2009, 11:50:14 PM »
    0

    Its interest to read the comments to that post.
    Logged
    Link-
    Veteran Member
    Hero
    ***
    Instant Messenger
    Offline Offline

    Posts: 986
  • Respect: +2


  • .o0o.

    « Reply #8 on: February 07, 2009, 11:51:07 PM »
    0

    For those of you that want to read about how he did it, and get password lists and whatnot, see here:
    Code: [Select]
    http://hackedphpbb.blogspot.com/

    Oh.. Just want to ask a question, if he didn't find that 0day can he take the credit just cause he hacked phpbb and posted his hack online?
    Just wondering...
    Logged
    haZed
    Elite
    ********
    Instant Messenger
    Offline Offline

    Posts: 1717
  • Respect: +1


  • ::1/128

    Hakipedia
    « Reply #9 on: February 08, 2009, 12:08:05 AM »
    0

    Oh.. Just want to ask a question, if he didn't find that 0day can he take the credit just cause he hacked phpbb and posted his hack online?
    Just wondering...

    One of the comments on the site I listed pretty much sums it up:

    Quote
    For those claiming that phpBB.com should have stayed more up to date, look at the dates. The exploit was released on Jan. 14th, which is when he said he started. The patch was released Jan. 29th. That makes it a zero day exploit, there is nothing that could have been done. The end of the attack was executed on Jan. 31st which is the only part that was visible because phpbb.com took the site offline at that time. phpBB may have been running a vulnerable PHPlist at that time, but so would every other site using the latest version. Even had they updated as soon as the fix was released, according to his actions, his shell script was already in place long before that, so it would have done no good. This is just a script kiddie who used an exploit before the publisher could release a fix, nothing more. Someone with more skills in hacking probably could have caused all of this to happen on Jan. 14th instead of taking two weeks to figure it out.
    Logged
    Link-
    Veteran Member
    Hero
    ***
    Instant Messenger
    Offline Offline

    Posts: 986
  • Respect: +2


  • .o0o.

    « Reply #10 on: February 08, 2009, 12:12:34 AM »
    0

    Definitely Busted!  :)
    Logged
    blink_212
    Veteran
    *******
    Instant Messenger
    Offline Offline

    Posts: 1453
  • Respect: +6

  • EG Fanatic.

    « Reply #11 on: February 11, 2009, 03:13:27 PM »
    0

    I was more interested in the picture.

    Code: [Select]
    http://2.bp.blogspot.com/_YJHj9hJqVko/SYTGXXDCXvI/AAAAAAAAAAs/Fgev_-HZ2LU/s1600-h/cat.jpg
    Logged
    Pages: [1] Print 
    « previous next »
     

    Find Us on Facebook! Find us at Facebook! - Follow Us! Follow us with Twitter! - Make sure to Stumble us! Stumble upon us! - Subscribe! Subscribe to our feed!
    Review enigmagroup.org on alexa.com

    ©Enigma Technology Group Inc. 2005-2015