From: Robert Lemos <mail () robertlemos com>
Subject: Re: [Dailydave] phpbb.com hacked...
To: robert_david_graham () yahoo com
Cc: "dailydave" <dailydave () lists immunitysec com>, "Dave Aitel" <dave.aitel () gmail com>
Date: Saturday, February 7, 2009, 4:41 AM
Did you take into account that about half the accounts
appeared to be spammers, according to the post by the guy
who hacked the site? (He found 400,000 accounts, but there
are only 200,000 members.)
So, in fact, the 28,000 passwords he decrypted may only be
spam accounts, or a significant fraction of them are, which
could be the reason your results are skewed toward simple
passwords. Just an alternative explanation...
-R
On Feb 6, 2009, at 6:12 PM, Robert Graham wrote:
I ran the passwords through an analysis program to
gather statistics on them. I posted a summary of the results
here:
http://www.darkreading.com/blog/archives/2009/02/phpbb_password.html
35% of passwords are 6-characters. Here is the top 20
list:
Here is the top 20 passwords from the phpbb dataset:
3.03% "123456"
2.13% "password"
1.45% "phpbb"
0.91% "qwerty"
0.82% "12345"
0.59% "12345678"
0.58% "letmein"
0.53% "1234"
0.50% "test"
0.43% "123"
0.36% "trustno1"
0.33% "dragon"
0.31% "abc123"
0.31% "123456789"
0.31% "111111"
0.30% "hello"
0.30% "monkey"
0.28% "master"
0.22% "killer"
0.22% "123123"
Why are "dragon", "master", and
"killer" so popular? Since the phpbb dataset
includes e-mail addresses, I'm thinking of e-mailing the
people and ask them why they chose that particular password.
Likewise, while I know that "trustno1" was a
password used in the X-Files, I forget where
"letmein" and "monkey" come from (I know
they were used in movies/tv, I just forget which ones).
| robert lemos | mail () robertlemos com |
| science & technology journalist |
| http://www.robertlemos.com |
Intro
