When hackers swiped an estimated 36 million accounts associated with AshleyMadison.com, a site which helps married people cheat on their partners, there was a rush to find out what had been stolen.
Password Used 123456 202 password 105 12345 99 qwerty 32 12345678 31 ashley 28 baseball 27 abc123 27 696969 23 111111 21 football 20 f**kyou 20 madison 20 a**hole 19 superman 19 f***me 19 hockey 19 123456789 19 hunter 19 harley 18
A month after the breach was reported, hackers released the first cache of stolen data. Email addresses, credit card transactions, and more were leaked on August 18. More data, released days later, included internal emails at the website’s parent company, Avid Life Media.
The tens of millions of passwords, though leaked, were hashed, meaning they were cryptographically scrambled using a feature known as bcrypt. (Many other websites that have suffered leaked data have either used weak cryptography to hash the passwords, or none at all.) Robert Graham at Errata Security said in a blog post this was a “refreshing change,” because it means users with strong passwords are “safe.”
But, for weaker passwords, the same cannot be said.
Security expert Dean Pierce described in a blog post how he ran the list of hashed passwords through a so-called “cracking rig” to see how many passwords he could decrypt from the cache.
The results were not that surprising. The weaker passwords in use were terrible.
Pierce spent five automated days cracking as many passwords as he could before giving up at around 0.0006 percent of the entire cache. That’s about 4,000 decrypted passwords in total.
The most common password was “123456,” which scores a zero on the imagination scale, while, perhaps worse, “password” ranked in second place. (You can download the full list from Google Drive, where Pierce uploaded the data.)
In comparison to Adobe’s data breach in 2013, which led to the release of 38 million Adobe usernames and passwords, the cracked AshleyMadison.com passwords are just as bad. That’s because the most popular password for almost two million Adobe customers was also “123456.” It seems lessons from the past weren’t learned, because when Yahoo suffered a data breach in 2012, the same password, “123456,” was top of the list.
It’s worth noting in the AshleyMadison.com case, it’s not clear based on the data which time period the passwords are from. It’s possible that AshleyMadison.com allowed weaker passwords in its early days, and forced stronger passwords on sign up later on down the line.
There are a lot of variables at play. But there is a bottom line.
“Maybe these passwords were all throwaways,” said Pierce. “It may also be infeasible to crack any given bcrypt password, but given enough users, it doesn’t matter if passwords are bcrypted and salted, a ton of passwords are eventually going to pop out.”