Another Password Analysis
Here’s an analysis of 30,000 passwords from phpbb.com, similar to my analysis of 34,000 MySpace passwords:
The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords “must be between 6 and 10 characters, and contain at least 1 number or punctuation character.” Most people satisfied this requirement by simply appending “1” to the ends of their passwords. The phpbb site has no such restrictions—the passwords are shorter and rarely contain anything more than a dictionary word.
Seems like we still can’t choose good passwords. Conficker.B exploits this, trying about 200 common passwords to help spread itself.
Brad Hicks • February 20, 2009 7:57 AM
Who uses their real password for a web-based BBS? I don’t care about security on a chat system, so I deliberately use an old, irrelevant, easily remembered and very weak password. I do it partly for convenience, and partly to remind myself that phpBB is an insecure system to start with, at least in most implementations it is. Why bother with a strong password on something that easily hacked?