I suppose we should expect this, since we know how bad people are at choosing passwords, but you’d think that on a site dedicated to indiscretions people would be a little more careful.
These choices of passwords could turn out to be the most embarrassing thing we learn about Ashley Madisonizens, even more than their marital infidelities:
“Ashley” and “Madison” and “qwerty” were also popular (So are, intriguingly, in context, “fuckyou” and “fuckme”), but “123456” heads the list.
Actually, its not entirely fair to characterize this as I have – these were the passwords that could be broken, and a lot of them haven’t been. So these are really the top “weak” passwords. I’m still surprised people would use them in this context.
True. Not being a subscriber I wasn’t aware that was a requirement at that site.
IMO “HornyMe” or variations would be a more plausible choice than “horney”. Unless there area lot of people who really spell it that way. Although I suspect a lot of folks have never had occasion to write that word at all and have no fixed idea of how it is or should be spelled.
If I understand it correctly, cracking the passwords is a process involving brute-force guessing for each password. That starts with easy guesses: known common passwords, maybe an exhaustive search of the 6-character password space, dictionary words, and from there longer passwords perhaps focused on common patterns used by most people. They probably found all examples of “123456” and “password” in the entire 36 million passwords.
Luckily for the users here, passwords were properly stored so only the really weak passwords are going to be broken.
According to the blog describing the cracking attempt, they were using the (now famous) RockYou password list. Any password that wasn’t on that (admittedly large) list wasn’t going to get cracked. So it’s 5% of the bad passwords. (Edit: Sorry, I missed the post where you pointed out this already.)
To me, the more interesting thing is that AM was using actual good password storage - salted hashes using bcrypt. Given everything else we’ve learned recently about the company, I was expected unsalted MD5, or maybe plaintext. The rate of 156 guesses per second on a state-of-the-art custom built password cracking machine is really quite slow.
The examples given are the same top passwords on all sites. You would need to look at the percentiles to figure out if the AM crowd were particularly better or worse, on average, than the greater internet.
Old joke:
What’s the longest word you can type with just your left hand?
That was what I took away, too. They had at least one competent security guy on staff at some point. Basically those passwords are not going be cracked, other than the mind-numbingly simple 123456-esque ones.
It was a really high-end lock they put on that door they didn’t bother to close.
Turns out AM used some laughably terrible password security after all. While the primary password database used bcrypt to securely hash passwords, the passwords were also stored as MD5 hashes. Even worse, the insecurely hashed version converted uppercase to lowercase, so it was even easier to brute force guess the all-lowercase versions, and trivial to find uppercase characters in bcrypt hashed passwords.
Net result is that all the AM passwords are about a million times easier to crack than previously thought. After ten days of crunching, 11 million passwords have been cracked…
