Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Passwords From PHPBB Attack Analyzed

Soulskill posted more than 5 years ago | from the convenience-trumps-security dept.

Security 299

Robert David Graham writes "The hacker who broke into phpbb.com posted the passwords online. I was sent the password list, so I ran it through my analysis tools and posted the results. Nothing terribly surprising here; 123456 and password are the most popular passwords as you would expect. I tried to be a bit more creative in my analysis, though, to get into the psychology of why people choose the passwords they do. '14% of passwords were patterns on the keyboard, like "1234" or "qwerty" or "asdf." There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e." I spent a while googling "159357" trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among right-hand people, "159357" will be popular among lefties.'"

cancel ×

299 comments

159357 popular with lefties? (5, Funny)

LordKaT (619540) | more than 5 years ago | (#26764805)

The numeric keypad is on the right ... how exactly does this work out?

Re:159357 popular with lefties? (1)

Z00L00K (682162) | more than 5 years ago | (#26764867)

Works fine with right-hand people too.

I would recommend anyone that can to use accented characters - which will introduce a factor that makes it harder to crack using dictionaries.

"Pásswòrð" maybe?

Re:159357 popular with lefties? (4, Insightful)

Carewolf (581105) | more than 5 years ago | (#26764919)

Unfortunately it can also make it impossible to login if you are trying to login remotely from a foreign computer, for instance to check mail while traveling.

Re:159357 popular with lefties? (1)

anss123 (985305) | more than 5 years ago | (#26764975)

Unfortunately it can also make it impossible to login if you are trying to login remotely from a foreign computer, for instance to check mail while traveling.

I once set my login password on a Unix account from Windows NT, I was then utterly unable to log on from Linux. At the time I was clueless about keyboard differences so it took some excessive head scratching to figure out.

Re:159357 popular with lefties? (1)

Antique Geekmeister (740220) | more than 5 years ago | (#26765309)

Ahh. NumLock keys and kvm's, both local and remote, can create similar problems. Some kvm and system booting system combinations activate the numlock setting without actually setting the light on the keyboard display. This is why it's so useful to have a bit of text space _somewhere_ on the screen that displays what you're actually typing, so you can check how your password is actually popping up, as long as you keep people from looking over your shoulder.

Re:159357 popular with lefties? (1)

AlXtreme (223728) | more than 5 years ago | (#26765069)

Unfortunately it can also make it impossible to login if you are trying to login remotely from a foreign computer, for instance to check mail while traveling.

I had this same problem when I was in France. The solution? Search for 'qwerty' on google images :)

Re:159357 popular with lefties? (1, Interesting)

Hurricane78 (562437) | more than 5 years ago | (#26765265)

But for that, you first have to *find* the letters "qwerty", and maybe even "http://google.com" (because IE does not automatically add the http) first.

Good luck, finding them on MY keyboard: http://www.neo-layout.org/ [neo-layout.org]
Hint 1: The letters printed on my keys have no relation to the actual layout.
Hint 2: "Ebene" means "level". So: Yes, that thing has 6 levels. (7 actually)

Re:159357 popular with lefties? (1)

bhtooefr (649901) | more than 5 years ago | (#26765641)

Every version of IE I can think of does add the HTTP.

Maybe you're thinking of NCSA Mosaic? That's the last browser I can think of that required you to type HTTP. And even then, only the very early versions.

Re:159357 popular with lefties? (1)

da5idnetlimit.com (410908) | more than 5 years ago | (#26765277)

???

I call bullshit...

French keyboards do have accented characters, but you have to ctl-alt most of them to get them.

azerty to qwerty keyboards is only about substituting 4 or 5 of the main characters. ridiculously easy.

It starts being much more interesting when your password contains |, @ or &, a french keyboard and a remote system configured at logon for us keyboard...

Re:159357 popular with lefties? (0)

Anonymous Coward | more than 5 years ago | (#26765439)

Search for 'qwerty' on google images

Oh dear god!! Don't do that search without safesearch on..

Re:159357 popular with lefties? (0)

Anonymous Coward | more than 5 years ago | (#26765585)

It could be worse ;)

Re:159357 popular with lefties? (1)

Squeeonline (1323439) | more than 5 years ago | (#26765701)

mod parent up. We need a mod "tru dat". Some sick shit in there with keyboard layouts!

Re:159357 popular with lefties? (1)

mrbooze (49713) | more than 5 years ago | (#26765431)

Wasn't it HP-UX years ago where the "@" symbol was some sort of delete key? I remember once it taking me a while to sort out why an employee kept complaining that his password wasn't working only on certain systems.

Re:159357 popular with lefties? (5, Informative)

Anonymous Coward | more than 5 years ago | (#26764885)

As in : left hand on the mouse, right hand free to type something ?

Re:159357 popular with lefties? (3, Interesting)

RedK (112790) | more than 5 years ago | (#26765111)

I'm a leftie, and my mouse is on the right, like.. well.. all the other lefties I know. Actually, I have never seen someone use a mouse of the left, though I'm sure that weirdo exists.

Re:159357 popular with lefties? (3, Informative)

freedomlinux (1072142) | more than 5 years ago | (#26765169)

Another leftie here...
I never use the mouse on the left and switching the button layout seems like an awkward hassle.

Maybe I'm not used to it because I tend to use public computers where admins would disapprove of re-arranging.
I'm just so used to the regular right-handed mouse and don't know any lefties for aren't.

Re:159357 popular with lefties? (1)

Mista2 (1093071) | more than 5 years ago | (#26765483)

For me mouse on the left but I don't swap the buttons. QWERTY keyboards are inherently biased favouring lefties when using a mouse on the left as the page up/down and arrow keys all fall to the unoccupied hand.
At home I also use an apple mighty mouse and this is great left handed. Left click with all fingers on the front of the mouse, rightclick with careful press of left index finger only.

Re:159357 popular with lefties? (4, Funny)

Majik Sheff (930627) | more than 5 years ago | (#26765181)

I don't have a right hand you insensitive clod!

Re:159357 popular with lefties? (1)

nedlohs (1335013) | more than 5 years ago | (#26765199)

Would be a strange thing to do. I know righties who use their mouse with their left hand, but there's some benefits to that that lefties get "for free" using the more standard setup.

Re:159357 popular with lefties? (3, Insightful)

basscomm (122302) | more than 5 years ago | (#26765201)

I'm a leftie, and my mouse is on the right, like.. well.. all the other lefties I know. Actually, I have never seen someone use a mouse of the left, though I'm sure that weirdo exists.

I've done tech support for several hundred Average Joe computer users, and out of those, I've seen the mouse on the left-hand side of the keyboard twice, and only one of those times did the person actually switch the buttons around.

I'm fairly well convinced that most people don't realize you can actually put the mouse on the left.

Re:159357 popular with lefties? (1)

ozbon (99708) | more than 5 years ago | (#26765417)

I'm left-handed, and do use the mouse on the left side of the keyboard. Mind you, I haven't swapped the buttons over - that's just weird...

For me, I find that it's a lot easier to have the mouse on the left hand side. But I'm used to moving to other people's computers (and, being a contractor, changing jobs regularly as well) so I don't fark up the buttons as well.

Re:159357 popular with lefties? (3, Interesting)

eggy78 (1227698) | more than 5 years ago | (#26765293)

This is getting a little off-topic, but I used to work with a guy that had a mouse on the left and right side of his keyboard (connected to the same computer). I don't know if he was left- or right-handed, but it was definitely a little odd. He claimed it dramatically increased his productivity and was a pretty amazing setup. I don't believe him.

My mouse is on the left (1)

spaceman375 (780812) | more than 5 years ago | (#26765323)

Even tho I'm right handed. I haven't switched the buttons. I did it because of carpal tunnel syndrome. Switching turned out to be pretty easy, tho even after 2 years I still switch back for a fast moving game; my left hand just hasn't got the speed & accuracy of my right.

Re:159357 popular with lefties? (3, Interesting)

vorpal22 (114901) | more than 5 years ago | (#26765395)

I'm right handed, and I trained myself to use my mouse with my left hand. The reason? Because I was starting to develop wrist problems back when I was in IT and had to spend eight hours a day on the computer. Using the mouse with your right hand entails having to move over a much larger area of keyboard to get to it (numerical keypad, arrow keys, etc). With the left hand, you only have to travel a small distance. Also, being mouse-ambidextrous allows you to switch back and forth, thus taking the entire burden off of one hand.

In the end, I decided to go with a trackball, which is built for the right hand (MS optical one) but which I use with my left hand. Furthermore, it's great because since it's a trackball and on the wrong side of the keyboard, it keeps people away from my computer, which is just fine with me :-).

Re:159357 popular with lefties? (2, Interesting)

Valdrax (32670) | more than 5 years ago | (#26765129)

Never would've thought of that. As a left-handed person, I still use the mouse with my right hand because that's where everyone else puts it. Also, I'd have to remap the left/right buttons to be able to use my index finger for the majority of clicking.

(Coincidentally, I did use that as my phone password for a while after some Cisco phones at my job barred my traditional "12345" (idiots, luggage) VM password. I've never even really understood a need to secure my VM in the first place, but I digress.)

Re:159357 popular with lefties? (1)

Luthair (847766) | more than 5 years ago | (#26765215)

I had that happen once, so instead of going horizontally across the numpad I changed to vertical ;) 147258 ftw

Re:159357 popular with lefties? (1)

wondershit (1231886) | more than 5 years ago | (#26765191)

Yes, this may be what the author had in mind. Still it's (in my experience) a wrong assumption. I know a few lefties (and I am one myself) and none of them uses the mouse with the left hand (also including me). In fact I know more righties than lefties that use the mouse with the left hand: one.

Re:159357 popular with lefties? (5, Funny)

auric_dude (610172) | more than 5 years ago | (#26765497)

Nothing too sinister about being left handed.

Re:159357 popular with lefties? (0)

Anonymous Coward | more than 5 years ago | (#26764917)

Right handed people will use the mouse with their right hand leaving their left free, with easier access to the main number keys. While a left handed mouse users free hand will be closer to the number pad.

Re:159357 popular with lefties? (2, Insightful)

Aranykai (1053846) | more than 5 years ago | (#26765077)

Because they place their left hand on the mouse, leaving the right hand on the right side of the keyboard. Its only natural to use the number pad instead of moving their mouse hand.

Re:159357 popular with lefties? (1)

Neflyte_Zero (866396) | more than 5 years ago | (#26765275)

No left-handed person, myself included, would use the mouse with his left hand for the simple reason that a goodly number of mice are shaped to fit a right hand so it would be ... impractical to get used to the ambidextrous mice and then encounter a right-handed only mouse and try to use it in the left hand.

Much better to just use the right hand and be ready for any situation.

Re:159357 popular with lefties? (1)

gmrath (751453) | more than 5 years ago | (#26765569)

I'm left-handed and keep the mouse on the right-hand side because it's easier to write something down as needed while still using the mouse. I know an engineer who's right-handed and uses the mouse from the left side for the same reason: he can write while still using the mouse. Didn't change the button orientation, though; still a standard right-side mouse.

Re:159357 popular with lefties? (2, Interesting)

mikael (484) | more than 5 years ago | (#26765155)

Perhaps it is a difference between laptops and desktop keyboards. On a commodity laptop there is no numeric keypad, though there is the numlock key on some which allows the UIOJKL keys to be used as numeric keys.

The quickest way of typing numbers is to use the the top row of keys. In that case, sequences like '1234', 'qwe123', q1w2e3' would be the most convenient. If you have a full sized desktop keyboard, then the availability of the keypad would allow the sequence 159357 to be typed in rapidly.

Re:159357 popular with lefties? (1)

tomz16 (992375) | more than 5 years ago | (#26765227)

The numeric keypad is on the right ... how exactly does this work out?

Don't know why you were modded insightful. Subby is correct!

Imagine a keyboard... now imagine a mouse...

Now imagine a right handed user using both and typing 1234.

Now imagine a left handed user using both and typing 159357.

Comprende?

Re:159357 popular with lefties? (0)

Anonymous Coward | more than 5 years ago | (#26765465)

No. If you actually *knew* any left handed people, you'd know the vast majority of them keep the mouse on the right, just like everybody else. Mainly because they end up having to use other people's machines from time to time, and those people are usually right handed. So you either have to waste all this time getting the mouse moved over to left side where you're comfortable with it and getting the buttons remapped, or you awkwardly try to use the mouse with your right hand. So the best option is really to just use the mouse on the right, just like everybody else. And then curse the righties for their tyranny, and complain about how I can never find a pair of scissors that doesn't hurt my hands when I need one.

And so... (2, Interesting)

Anonymous Coward | more than 5 years ago | (#26764811)

someone 'analyzed' another password list for correlations and found nothing of inherit value to security of than 'people are a problem'.

Chalk yet one up for the Adams team.

Are they the problem? (5, Insightful)

khasim (1285) | more than 5 years ago | (#26765093)

someone 'analyzed' another password list for correlations and found nothing of inherit value to security of than 'people are a problem'.

People are the weakest link in any security program. But does that make them the "problem" or does it mean that we're approaching security from the wrong angle?

Passwords suck. People are not capable of memorizing enough entropy to provide more than one or two decent passwords.

So do not focus on "strong" passwords as your only defense against attack.

One approach is to encourage "weak" passwords (word.number.word) that users can write down ... but then focus on monitoring and login delays so that any attack will be detected before it even has a one in ten million chance of success.

Thank you for registering at slashdot. Your password is kitten6apple. Please write it down. If you wish to change it, click HERE. There will be a 10 second delay enforced between login attempts and a 10 minute delay after 3 failed login attempts.

There. As long as they don't store the passwords in the clear (or as hashes without including a random salt) you should be fairly "secure". At least "secure" enough for a "social networking" site.

For your bank or other financial institution, you'd want a second, non-Internet-based, channel for verification of transactions. Such as an automated call to your phone.

People are not the "problem". People's limitations SHOULD be part of the design specifications for the security program.

Re:Are they the problem? (1)

LihTox (754597) | more than 5 years ago | (#26765535)

I think it is reasonable to ask people to write passwords down, so long as they treat them on the same level as their credit card number-- e.g. keep them in a wallet. After all, we carry our credit card numbers around with us all the time, in written form, right there on the card. When we have to charge something online, we pull out the card and type in the 16-digit number: few people have their number memorized I imagine. Passwords can work the same way. There's a risk of theft, of course, but the consequences are probably minor compared to having one's credit card stolen.

Re:Are they the problem? (1)

corychristison (951993) | more than 5 years ago | (#26765697)

Or better yet, use your credit card number /as/ your password.

passwords (5, Funny)

kohaku (797652) | more than 5 years ago | (#26764817)

What the hell, Slashdot? Stop posting all my passwords!

Re:passwords (1, Funny)

Anonymous Coward | more than 5 years ago | (#26764881)

Here's [whatsmypass.com] a nice list you can pick others from...

Re:passwords (0)

Anonymous Coward | more than 5 years ago | (#26765279)

What the hell, Slashdot? Stop posting all my passwords!

Seriously, I read through that and was like "damn, all my normal passwords are in here, oh well!"

It's not that I don't want a secure password, but for work, shit, I need 4 different passwords, and the ones listed just make life easier while still getting around the "security" filter.

The horrible problem (4, Insightful)

Z00L00K (682162) | more than 5 years ago | (#26764833)

It's a horrible problem of having leaked passwords, and the only way around it is to avoid logging the cleartext password and do a hash of the password combined with a salt before storing it.

In that way it's at least not too easy to recreate the password used by various users.

It's of course standard procedure, but it just makes it evident how incredibly trivial some systems are built.

Re:The horrible problem (4, Interesting)

qw0ntum (831414) | more than 5 years ago | (#26765153)

From my perusal of TFA, I think the passwords were actually hashed in the DB, but the guy who cracked the site broke them: http://hackedphpbb.blogspot.com/ [blogspot.com]

The response from phpBB.com seemed to indicate that the only passwords that were cracked were from those accounts that had been created in an older system, and had not logged in under the newer system. Given the large number of spam accounts on that site, I wonder if the majority of those cracked, not recently logged in accounts were spam accounts, and as such if the passwords are not representative of the userbase at large: http://area51.phpbb.com/phpBB/viewtopic.php?f=3&t=29973 [phpbb.com]

Re:The horrible problem (4, Interesting)

slackergod (37906) | more than 5 years ago | (#26765409)

I agree... it just plain scares me that so many large systems don't even bother with such trivial precautions as hashing. It's even more trivial than sql injections. Up until it happened, I would have _never_ guessed myspace & phpbb stored plaintext. It seems borderline incompetent.

I've implemented tons of little one-off account systems, for websites small enough they'll probably never even see a hacker. But before I even implemented the first one, I went through the trouble of finding the best password hash algorithm I could (http://people.redhat.com/drepper/SHA-crypt.txt)

Sure, I've had customers ask "why can't it just email me my password when I forget?" But you know what? Just a few minutes of quick explanation, and even people with NO math or cs background can understand why it's important.

So for the love of the gods, people, please take an hour out of your time to put in a hash alg (even md5-crypt is better than nothing)... it's just not that hard.

---

Just to go off on a rant here...
I've also noticed in some web applications there is the tendency to just pick a hash alg at random. Be warned: not all hash algorithms are created equal.

"Checksum" algorithms such as CRC32 are woefully insufficient: easy to reverse (for small strings), easy to find collisions. They're basically just one guessable step away from plaintext.

"Integrity" algorithms such as MD5 & SHA are a little better, since they're very hard to reverse, and difficult to find collisions.
The problem with using these types of hashes directly is that they will always hash a password to the _same_ string. While that's desirable for their purposes (file integrity, etc), that's not good at all for passwords: you can pre-build a table of known mappings beforehand, and use it to quickly guess many passwords in parallel (aka a rainbow table): Given a table of 10k user passwords hashed like this, and a pre-built table, the odds are very good you'll get a significant number of the passwords in a very short amount of time.

This is why a proper "Password" hash (eg bcrypt, md5-crypt, sha-crypt) includes a "salt" which is randomly generated each time the password is set (and not just the first time). This prevents the rainbow attacks which are possible on plain integrity hashes. But prepending (or appending) the salt is not enough, because since it's effect can be undone mathematically, at least enough so that it presents no real additional barrier.

Genuine password hashes, while using an integrity hash their basis, mix & blend the password and the salt in so many variable ways as to make this reversal impossible. And there are so many nuances here that _you should not roll your own_ (unless you're Bruce Schneier). Read bcrypt, sha-crypt or md5-crypt's specs for some details.

Note: don't use the old unix-crypt, while it is a password hash in the strict sense, it's so old and simple, it's barely stronger than crc32.

Note: sha-crypt adds additional flexibility via it's "rounds" system, allowing it to easily grow more complicated as computers grow more powerful. This is why I prefer it above all the others.

End rant: all this is why you should use sha-crypt or md5-crypt, and nothing lesser.

Re:The horrible problem (3, Insightful)

NeoThermic (732100) | more than 5 years ago | (#26765541)

Just to put a huge hole in your rant, the passwords in question *were* md5'ed. They were only in md5 format because they were passwords left unconverted since the hash algo changed in phpBB3. To convert them, it requires the user in question to log in just once post-conversion. The accounts cracked had not done that and were thus very unused accounts.

NeoThermic

Re:The horrible problem (-1, Flamebait)

John Hasler (414242) | more than 5 years ago | (#26765579)

But why were any cleartext passwords ever recorded at all?

Re:The horrible problem (1)

John Hasler (414242) | more than 5 years ago | (#26765611)

You're right, but hashing makes "password recovery" impossible. Which do you think most users consider most important: security, or the ability to recover their forgotten passwords by an obvious fact about themselves?

Left and right reversed? (1, Redundant)

argent (18001) | more than 5 years ago | (#26764859)

I suppose whereas "1234" is popular among right-hand people, "159357" will be popular among lefties.

Last time I looked, the keypad was on the right of the keyboard. ^^

Re:Left and right reversed? (3, Informative)

chillax137 (612431) | more than 5 years ago | (#26764893)

The idea is that lefties are mousing with their left hands - they have the right hand free to do the typing.

Re:Left and right reversed? (5, Funny)

argent (18001) | more than 5 years ago | (#26764983)

That's the first time I've heard of one-handed typing being commonplace. I thought it was restricted to certain kinds of websites. :)

Re:Left and right reversed? (1)

Anonymous Coward | more than 5 years ago | (#26764985)

The idea is that lefties are mousing with their left hands - they have the right hand free to do the typing.

I know of no lefties, myself included, who actually use the mouse with their left hand.

Re:Left and right reversed? (0)

Anonymous Coward | more than 5 years ago | (#26765053)

"I know of no lefties, myself included, who actually use the mouse with their left hand."

You probably don't know many people (don't worry you are in good company, this is slashdot after all)

I use the mouse with either hand, if the hand gets tired I switch hands.

Re:Left and right reversed? (5, Funny)

cslax (1215816) | more than 5 years ago | (#26765253)

I use the mouse with either hand, if the hand gets tired I switch hands.

Can be misinterpreted in so many ways.

Re:Left and right reversed? (1)

argent (18001) | more than 5 years ago | (#26765177)

I know a couple: out of the several hundred developers I was supporting in a precious job I can only recall a couple who were using a mouse left-handed handed when I was called in to help them... so obviously some people prefer them.

They all type with both hands. Even when entering a password.

Re:Left and right reversed? (1)

thetoadwarrior (1268702) | more than 5 years ago | (#26765621)

Every lefty I know uses theur left hand including one dim enough to have bought a right handed mouse.

Re:Left and right reversed? (1)

arkhan_jg (618674) | more than 5 years ago | (#26764995)

Even more so, it's about the width of the body and the natual position of the free hand.

A leftie with his left hand on the mouse, to the left of the keyboard; his right hand naturally falls around the arrow keys or numberpad.

A rightie with his right hand on the mouse to the right side of the keyboard will naturally have his left hand fall around the wasd and 1234 side of the keyboard.

While it's certainly possible to mouse left-handed and use wasd for gaming, (or the keypad if you're a rightie) you end up reaching across your body quite a lot. It's a natural stretch to assume keypad based password entry will be more common amongst lefties.

Re:Left and right reversed? (4, Insightful)

Ian Alexander (997430) | more than 5 years ago | (#26765013)

I've never moused with my left hand on anything approaching a regular basis- it's simply too awkward. I was just taught to use my right hand to mouse like everyone else in elementary school so that's what I do.

--Southpaw

Re:Left and right reversed? (1)

daeley (126313) | more than 5 years ago | (#26765057)

I'm a righty, but if I use a mouse at all it's on the left. Can't remember why I switched it up, but I think it might have been something I read about avoiding wrist strain after using the mouse on the right for years. Feels perfectly natural nowadays.

Re:Left and right reversed? (1)

frenchbedroom (936100) | more than 5 years ago | (#26765219)

I do that too, the mouse is closer to the keyboard that way. And once you've learned the shortcuts Shift+Del = Cut, Ctrl+Ins. = Copy, Shift+Ins. = Paste, you're just as fast for basic editing as if you were mousing with the right hand and chording Ctrl+X, C, and V. Bonus : these shortcuts always work, dvorak layout or not.

Re:Left and right reversed? (1)

vviljo (143799) | more than 5 years ago | (#26765493)

I'm right-handed too and use mouse on the left because if I use it on the right, my elbow starts to hurt like hell after a few hours. It took a week or so to get used to it and even now after years of using the mouse on the left, I still need to use it on the right if much accuracy is needed.

I didn't switch buttons.

Re:Left and right reversed? (0)

Anonymous Coward | more than 5 years ago | (#26765557)

I'm a righty, but if I use a mouse at all it's on the left.

Me too (but note, I didn't change the button assignment, its a normal mouse like all these other righties use). I changed this very early during computer adaption, perhaps to free my right hand for typing and holding my cup of tea. But nowadays, I don't care which hand to use for what ...

Re:Left and right reversed? (0)

Anonymous Coward | more than 5 years ago | (#26765043)

Except that assumption is wrong. Most left handed people don't go to the trouble of using a mouse with our left hands since we learned how to use a computer like right handed people do--with the mouse on the right. I briefly experimented for about a month with using the mouse with my left hand, and I never got used to it. I highly doubt there's any correlation with handedness and passwords patterns derived from the numpad.

Re:Left and right reversed? (1)

nih (411096) | more than 5 years ago | (#26765051)

yes, their right hand is free to do the typing

Re:Left and right reversed? (1)

Joce640k (829181) | more than 5 years ago | (#26765187)

So ... why are lefties typing 159357 instead of qazwsx?

Re:Left and right reversed? (0)

Anonymous Coward | more than 5 years ago | (#26765055)

>> Last time I looked, the keypad was on the right of the keyboard. ^^

When was the last time you tried to think a little bit before posting? :D

Passwords are the Problem (5, Interesting)

SolarStorm (991940) | more than 5 years ago | (#26764887)

With so many other methods of user verification why do we still continue with passwords? My work uses so many passwords for each application, and forces you to change them montly, and some of them force you to use different passwords, that you can look at any monitor and find a postit note with complete access to the system. When I mentioned this to the SA's. They said they need all of the passwords for security? Why not use thumbprints or cards for verification like the hospital I used to work at? Never typed a single password. Had to take the gloves off once or twice, but never a password.

Re:Passwords are the Problem (3, Informative)

Penguin Follower (576525) | more than 5 years ago | (#26765095)

I work for the IT staff of a hospital. Fingerprint readers cause us a headeache because the hardware does not work reliably. We recently started shopping for new vendors for finger print readers (trying to find one that works more reliably). Both of the new vendors came in to show us their hardware and couldn't get them to work with at least 90% reliability. We're looking at other forms of authentication now. Problem being, we have to have two forms of identification due to the state board of pharmacy. It was going to be fingerprint readers and passwords... now looks like maybe RSA tokens and passwords instead. We use RSA already and that system doesn't give us many problem at all.

Re:Passwords are the Problem (1)

delvsional (745684) | more than 5 years ago | (#26765221)

Try looking for hand readers. I use them everyday and they are fairly reliable. It basically takes an image of your hand and compares it to a previously taken image. If you're below the difference threshold, you get in. You either punch in a code to tell it which image to compare to or you can swipe a badge.

Re:Passwords are the Problem (0)

Anonymous Coward | more than 5 years ago | (#26765263)

Take a look at smartcards.
The employees are wearing a Tag with their name and photo anyway, aren't they? Just integrate the employee-ID and a smartcard and you're done.

Re:Passwords are the Problem (1)

nametaken (610866) | more than 5 years ago | (#26765131)

Card systems, thumbprint readers, keys, etc. cost money in both hardware and software... both up-front and recurring.

Password systems are built in, cost nothing, and have done the job pretty damn well for decades.

That's not to say it's a perfect solution of course.

Re:Passwords are the Problem (0)

Anonymous Coward | more than 5 years ago | (#26765233)

When biometrics are compromised, you can't issue the user a new thumbprint. When passwords or keys are compromised, you can make new ones.

Re:Passwords are the Problem (1)

Bellbox (1471805) | more than 5 years ago | (#26765453)

We had a problem using fingerprint readers in our surgical services area, as the frequency of hand washing combined with the abrasive soaps made the nurses fingerprints unreadable. We were using these readers for clock in/clock out purposes, but with the push towards digital records we now have laptops with every nurse and doctor in the hospital and we will definitely not be using any sort of fingerprint readers on those.

Re:Passwords are the Problem (1)

indre1 (1422435) | more than 5 years ago | (#26765481)

One great solution for all this username and password hassle is an electronic ID card, which is already used in many countries. For example in Estonia, larger (over USD500) bank wire transfers can only be made when logged in with an electronic ID card (or with an inconvenient pin-calculator), which is read by a standard Smart card reader, sold for USD10 and is already integrated on most new business laptops. It is nice to see that this card can also be used for signing in on many (both public and private sector) sites. As every Estonian has an ID-card, very many people actually use it daily. Hopefully one day it will be easy and cheap enough to be used on most websites.

Re:Passwords are the Problem (1)

grumbel (592662) | more than 5 years ago | (#26765513)

Why not use thumbprints

Thumbprints have the disadvantage that you leave them all over the place anywhere you go, which makes them pretty easy to fake and not a very good password replacement. They of course can work in some cases, but are horrible in others.

cards for verification like the hospital I used to work at?

The problem is:

1) nobody owns them
2) no webpage or browser out there supports it

Classic chicken&egg situation. If Microsoft or Apple would step up and push them, such stuff might have a chance, but without a large party backing it up, I don't have much hope for the near future. The good thing of course is that cost shouldn't be much of an issue if such things ever enter mass production and if such a security token would come with a USB plug it could work across many different OSs and hardware platforms. If Microsoft and Apple fail, there is still a chance that some government near you will do the pushing, talk about digital signatures for every citizen have been going on in some countries.

Re:Passwords are the Problem (1)

Mista2 (1093071) | more than 5 years ago | (#26765631)

At primary school one of my teachers insisted in trying to cure my lefthandedness. my handwriting is still terrible to this day thanks to this 8)

Passwords From PHPBB Attack Analysed (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26764915)

NIGGA WHUT?

That is the same thing I have on my luggage (2, Funny)

daryl_and_daryl (1005065) | more than 5 years ago | (#26764959)

ala spaceballs

Wait, you broke stolen data? (1)

nurb432 (527695) | more than 5 years ago | (#26764987)

Doesn't that make you a criminal too?

Oh, it was just for 'educational purposes only' so that makes it all better.

Re:Wait, you broke stolen data? (1)

kasperd (592156) | more than 5 years ago | (#26765197)

He didn't provide us with a list of user names and passwords. We don't know about the exact circumstances under which he received them. You don't become a criminal just because somebody decides to send you something. Finding out which are the most popular passwords is a pretty harmless thing to do. If anything it should be a criminal offense to pick such a weak password to begin with. Of course breaking in to get the list of passwords and transferring it to somebody else isn't legal. Using those passwords to log in to those accounts wouldn't be legal either. But he didn't do any of those.

Re:Wait, you broke stolen data? (1)

nurb432 (527695) | more than 5 years ago | (#26765679)

While not 100% true about not becoming a criminal if someone sends you something. ( let someone send you a bag of pot, and if you hold it in your hand, technically its possession ), but this isn't abut possession, its about what he did with it.

Breaking passwords is *technically* illegal, for any purpose..

Huh (0)

Anonymous Coward | more than 5 years ago | (#26765011)

That's how I've been doing it for ages.

78945617946123 would be my default password,
sadly, there wasn't enough room for 7894123794513.

Inaccurate (5, Funny)

DarkAnt (760333) | more than 5 years ago | (#26765039)

Sex and God are not even on the list.

Re:Inaccurate (0)

Anonymous Coward | more than 5 years ago | (#26765161)

6 chars length is a pretty common minimum requirement these days.

So the combination is... 1,2,3,4,5? (0)

Anonymous Coward | more than 5 years ago | (#26765097)

And change the combination on my luggage!

Colemak/Dvorak patterns? (2, Interesting)

ethana2 (1389887) | more than 5 years ago | (#26765171)

How many key patterns are used by people who type with dvorak or colemak? I've always liked the extra security that comes with using an obscure (albeit superior) keyboard layout ;)

Surely a meaningless analsysis? (1)

gilgongo (57446) | more than 5 years ago | (#26765211)

What lessons can we learn from a password list taken from a mailing list? Most if not all people would instinctively choose a weak password for something like that, and those that didn't wouldn't use their "normal" strong one for fear of something like this incident happening. After all, it's only worth choosing a strong password if there's something worth protecting with it. Nobody (that's nobody) chooses new passwords for every system they use. So what's left - "password" and "12345". Not a big surprise.

Re:Surely a meaningless analsysis? (1)

Charles Dodgeson (248492) | more than 5 years ago | (#26765475)

I would be interested in distributions. Do these follow Zipf's law [wikipedia.org] or a more general power law?

Although the analysis was fairly superficial, the better we understand human password choice, the better we can work on systems to alleviate the problem. Anyway, I am a big fan of proper password managers. If people are expected to remember more than a small handful of passwords, bad things will happen.

Re:Surely a meaningless analsysis? (1)

John Hasler (414242) | more than 5 years ago | (#26765523)

> Nobody (that's nobody) chooses new passwords for every system they use.

False.

Re:Surely a meaningless analsysis? (1)

cong06 (1000177) | more than 5 years ago | (#26765599)

good point.

I have a few passwords. I always use my insecure one on forums, games, quick registration stuff.
And my more complex one for my bank account, etc.

The interesting thing is that number codes are the most common, instead of random words. or even the Username. Did Phpbb prevent the password from matching the username? That would be interesting to know.

Re:Surely a meaningless analsysis? (0)

Anonymous Coward | more than 5 years ago | (#26765613)

Nobody (that's nobody) chooses new passwords for every system they use.

You are wrong. This statement needs qualifying.

Stupid passwords (1)

SirLurksAlot (1169039) | more than 5 years ago | (#26765261)

[King Roland has given in to Dark Helmet's threats, and is telling him the combination to the "air shield"]
Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
President Skroob: [enters after the interrogation of King Roland] Well? Did it work? Where's the king?
Dark Helmet: It worked, sir. We have the combination.
President Skroob: Great. Now we can take every last breath of fresh air from planet Druidia. What's the combination?
Dark Helmet: 1 2 3 4 5.
President Skroob: 1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Prepare Spaceball 1 for immediate departure!
Dark Helmet: Yes, sir!
President Skroob: And change the combination on my luggage!

Group passwords and write 'em down (3, Interesting)

chill (34294) | more than 5 years ago | (#26765305)

I group passwords two ways.

1. Sites that have no personal info or I don't really give a damn about. Those share 2 or 3 different passwords depending on their lame (no special characters!) requirements. Pick two words, use 7334 spelling and separate them by a punctuation mark. For example "mad money" becomes "M@d;m0n3y". Good luck guessing stuff like that.

2. Sites that I care about, like online banking or ones that contain personal information (LinkedIn, for example), have random line noise for passwords and I just write them down. There is a notebook in my desk with all the passwords. The desk is locked and in my home office. That is far more secure than trying to make them easy enough to memorize.

3. If you use Firefox, make sure you use a Master Password [mozilla.com] if you allow it to remember passwords.

Someone posted this earlier and it is a useful BASH script.

dd if=/dev/random bs=200 count=1 | tr -cd 'A-Za-z0-9!@#$%^&*()_+'; echo

Copy a group of 10-15 out of the middle of that and use it for a password.

Re:Group passwords and write 'em down (0)

Anonymous Coward | more than 5 years ago | (#26765635)

Its called 1337, not 7334.

DMCA (1)

Migraineman (632203) | more than 5 years ago | (#26765311)

Does this message thread constitute an "access control circumvention device" under the DMCA? [chillingeffects.org] It's a reach to consider a message board thread to be a "device," but information herein does identify a statistical bias toward passwords used for access control. That wasn't the original intent of the DMCA ... but the original intent is irrelevant.

Maybe it's just me (1)

uberhobo_one (1034544) | more than 5 years ago | (#26765367)

I don't know about other people, but I really don't care if someone hacks or guesses my forum password. There is virtually no damage they can do. It's not as if they can get my credit card number, or even my real email address from my account information. The worst thing they could do it post goatse pictures all over the place and get me banned. It's for this reason that I don't spend much, if any, time creating a robust or unique password for forum sites. Same goes for myspace, facebook, or any other random website that requires a login for no good reason (I'm looking at you, nytimes.com).

When someone hacks the FBI network and posts all their passwords and finds the same pattern, give me a call and I'll freak out along with you. Trivial web sites are going to beget trivial passwords.

Re:Maybe it's just me (0)

Anonymous Coward | more than 5 years ago | (#26765397)

I don't know about other people, but I really don't care if someone hacks or guesses my forum password. There is virtually no damage they can do. It's not as if they can get my credit card number, or even my real email address from my account information. The worst thing they could do it post goatse pictures all over the place and get me banned. It's for this reason that I don't spend much, if any, time creating a robust or unique password for forum sites. Same goes for myspace, facebook, or any other random website that requires a login for no good reason (I'm looking at you, nytimes.com).

When someone hacks the FBI network and posts all their passwords and finds the same pattern, give me a call and I'll freak out along with you. Trivial web sites are going to beget trivial passwords.

The thing is most people don't treat it that way. They have one, maybe two passwords at most and the two are usually related in some way. It's just simpler to only memorize one or two. Of course, I'm generalizing from one point of view, but then again, every does.

Re:Maybe it's just me (1)

Charles Dodgeson (248492) | more than 5 years ago | (#26765607)

I don't know about other people, but I really don't care if someone hacks or guesses my forum password [...] Trivial web sites are going to beget trivial passwords.

I suspect that many people don't distinguish between high security passwords and low security ones, but as you say, it would be very interesting to see results from a high value site.

But even if people are using better passwords on more important sites, they are still constrained by memory and psychology if they are not using a password management system. So even if they are using better passwords for those sites, they are probably using the same, or variants of the same, passwords on multiple sites. If one of those sites is compromised, then that user's password on other sites becomes very guessable.

What data like these, even on trivial sites, show is that far too few people are using proper password management systems.

Obligatory (0, Redundant)

mishehu (712452) | more than 5 years ago | (#26765403)

So the combination is 1... 2... 3... 4... 5...? (stops to open up mask) That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Re:Obligatory (1)

dayid (802168) | more than 5 years ago | (#26765479)

But I thought "one two three four five" as a combo meant "24445" no?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...