The Top 50 Gawker Media Passwords 209
wiredmikey writes "Readers of Gizmodo, Lifehacker and other Gawker Media sites may be among the savviest on the Web, but the most common password for logging into those sites is embarrassingly easy to guess: "123456." So is the runner-up: "password." On Sunday night, hackers posted online a trove of data from Gawker Media's servers, including the usernames, email addresses and passwords of more than one million registered users. The passwords were originally encrypted, but 188,279 of them were decoded and made public as part of the hack. Using that dataset, we found the 50 most-popular Gawker Media passwords."
Not Really Sold on the Correlations (Score:5, Informative)
A plurality of Gawker Media passwords are six characters long, but we wondered whether that and other results might differ based on the user’s email provider. Indeed, users of Google and Yahoo’s email services are more likely than Microsoft email users to have passwords of eight or more characters.
Well, Hotmail and Yahoo! require six characters or more and Google requires eight characters or more. Explains the Google/Microsoft difference anyway: People are lazy. While you're statements aren't false, I fail to see their confidence or usefulness. Or are we just trying to pat ourselves on the back for using Google and being part of the "elite?" The funny thing is that if your password is showing up here, it's just as "strong" as the other ones that fell victim to this kind of attack! Regardless of length! Take your pick, "unicorns" or "$r-P_5"?
Popular passwords vary, as well: Gmail users are bigger X-Files fans ("trustno1") and more likely to opt for the slightly clever variant "passw0rd."
Or you're just staring at random data trying to make something out of it. "Slightly clever variant"? Ha, well, whoever decrypted this passwords had that one in mind, you know that for sure. Anything even remotely clever would not show up in here.
Yahoo and Microsoft email users, meanwhile, are much more likely to get sappy with their passwords: "iloveyou."
Come on, one example leads to that kind of generalization?
Re: (Score:2)
google may require 8 characters now, but they havent always. i have 6 character passwords on several gmail accounts.
and another thing i'd like to point out.
just because a person uses an "easy" password for something as trivial as a "commenting" user login, doesnt mean they use the same type of password on something more important.
anyone who used/uses the gawker commenting system knows it's a heaving pile of shit, and that may lead people to utilize simpler passwords because they routinely cannot get the sys
Perfect example: (Score:5, Interesting)
and today after checking my lists, I realized that I used the same password on both Slashdot (frequented!) and Digg (haven't visited since v4). Whatever, I changed it on both of these sites. I didn't bother touching it on Gawker now that I know I can't trust them to actually understand password security.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
All my porn site passwords only use keys on the left side of the keyboard only so I can type them quickly one-handed.
Re: (Score:2)
I use lastpass and have a random password generated for every site I visit. I don't even think about passwords anymore.
Re: (Score:2)
Re: (Score:2)
Check TPB
Re:Perfect example: (Score:5, Informative)
If you want to check yourself, head to this Google Fusion table [google.com]
Instructions are right there on the page, but you take the md5sum of your email address (e.g. "echo -n email@address.com | md5sum") and check it against the list (click "Show Options" and selected MD5 = . This doesn't mean your password was decrypted, but at the very least the encrypted version is out there. You can check this other Google Fusion table [google.com] for your password.
Re: (Score:2)
check it against the list (click "Show Options" and select MD5 = [your md5 hash here]).
Fixed that for me.
Re: (Score:2)
Re: (Score:2)
just because a person uses an "easy" password for something as trivial as a "commenting" user login
And why the hell one needs a password to comment? To me that was always an overkill.
OpenID was poised to solve the problem (allowing single sign-on) and partially does that already. Yet still many sites do not support it - Gawker included.
Re: (Score:3)
One leak of the OpenID db, one PFY with a grudge, one Swedish website later and we're all screwed.
Plus whoever owns OpenID knows every site you visit and the frequency.
Keep it.
Re:Not Really Sold on the Correlations (Score:4, Informative)
The beauty of Open ID is that anyone can run a provider. Even you.
The ugliness of it is that you log in with a URL (that's a paradigm shift for a lot of people). Ever seen Google's OpenID URL? https://www.google.com/accounts/o8/id [google.com] (and I can never remember if there's a trailing slash, so I often end up trying to log in twice.) And if the provider goes down, you're locked out of pretty much everything. Of course, that's a benefit, too. If someone breaks into your own OpenID server, you can pull the plug and they lose access to all of those accounts.
Re:Not Really Sold on the Correlations (Score:5, Interesting)
That's what OpenID delegates are for. I have a page set up that I log in to OpenID sites with, and that page contains metatags to forward to the provider of my choice. Provider goes down, I can switch internally and never change my login URL.
Re: (Score:2)
That's really, really excellent and something I wasn't aware of in OpenID. Thank you for the pointer!
Re: (Score:2)
Re: (Score:2)
Plus whoever owns OpenID knows every site you visit and the frequency.
I'd take that - over maintaining manually a private DB with passwords.
I'd rather trust one (or few) OpenID provider(s), than hundreds of random people who run the dozens/hundreds sites I visit monthly. Both options have bunch of pros and cons - but at least the former has advantage of being convenient and non-obtrusive.
Re: (Score:2)
An alternative is to use a throwaway OpenID account. However, why let people be able to get tracking data from one account with multiple sites? Might as well have a different, throwaway ID for every site, just because of the stupidity of having to register to see a print view or leave comments, and the registration process almost always demands a lot of personal information that isn't relevant. Why do websites demand addresses (and bother trying to check them), other than just trying to get more stuff to
Re: (Score:2)
LiveJournal (the creator of OpenID, if i remember correctly) doesn't require anything other than an email to sign up. My account is pretty old but i use it everyday. I have tried most "social" sites as they came out (geocities, LJ, friendster, myspace, facebook) but i always end up back at LJ : )
Re: (Score:3)
One leak of the OpenID db, one PFY with a grudge, one Swedish website later and we're all screwed. Plus whoever owns OpenID knows every site you visit and the frequency. Keep it.
The answer to all of those: just run your own [openid.net] - that way it's under your control from the start.
Re: (Score:2)
Because it otherwises kill all benefit to commenting.
A passwordless comment system is like SMTP today. Registration and CAPTCHAs help reduce a good chunk of spam, and brings it to a level that can be manually managed.
And sometimes, having an account gives you benefits, like remembering personal preferences (Gawker has some preferences like an avatar and your default comment view). But losing my account there would be more o
Re: (Score:2)
I signed up using a sneakemail.com temporary email address which has since been deleted so the only thing the hackers got was a junk email address and a junk password. No reason to secure something that is worthless.
Re: (Score:2)
anyone who used/uses the gawker commenting system knows it's a heaving pile of shit, and that may lead people to utilize simpler passwords because they routinely cannot get the system to send them "forgotten password" emails in a timely manner.
For most sites that demand a free user account to read the content, a strong password is idiotic; I use a string of 1s for most of them (newspapers are the worst offenders).
For my home PC and websites that I need security I have a long string of random characters that
Re: (Score:2)
You could have saved yourself a lot of analysis by rating the merits of the article from the first sentence. ;)
Re: (Score:2)
Well, Hotmail and Yahoo! require six characters or more and Google requires eight characters or more. Explains the Google/Microsoft difference anyway: People are lazy. While you're statements aren't false, I fail to see their confidence or usefulness. Or are we just trying to pat ourselves on the back for using Google and being part of the "elite?" The funny thing is that if your password is showing up here, it's just as "strong" as the other ones that fell victim to this kind of attack! Regardless of length! Take your pick, "unicorns" or "$r-P_5"?
Except, that's not entirely true. Yes, while people typically use very weak passwords, Gawker's mistake was that they used DES (WTF?) to encrypt their passwords. DES has been shown to be not strong enough for quite some time now. On top of that, Gawker did not handle passwords correctly in the first place. No salt. No hash. It was just one big screw up.
So, yes, people choose bad passwords, but that can only result in a small compromise (one account). In Gawker's case, they had the whole entire system compro
Re: (Score:2)
There was a salt. That's why of the 1.2million accounts on Gawker, only about 200,000 passwords were recovered. It's looking like Gawker basically used crypt().
Re: (Score:2)
Stuff like that is inexcusable. Basic stuff like doing a salt (128 bit minimum, 256 bits recommended), appending it to the password the user types in, then running both through a SHA-256 blender for a good number of rounds [1] is SOP for anything to be taken seriously these days.
Why do people keep forgetting the need for salts in password storage? Even the old BSD and SVR4 UNIX variants had salts and computation rounds in the old crypt (3) password storage before the days of /etc/shadow. It is a lot toug
Re: (Score:2)
They were basically using crypt. There was, in fact, a salt (though not a good one.)
Also, Gawker switched to using bcrypt at some point, but since many people didn't change their passwords after the switch, they were still storing the old DES passwords.
Re: (Score:2)
Which would have easily been resolved by requiring a password change at the next login and locking the accounts until that occurred. Just sounds like laziness on Gawker's part.
Re: (Score:2)
The funny thing is that if your password is showing up here, it's just as "strong" as the other ones that fell victim to this kind of attack!
Not exactly. It does not mean that all of the passwords were "as strong" as each other. It means that all of them were weak enough to be broken by an attack of this strength. Some of the better ones might not have been cracked by a less capable attack.
Take your pick, "unicorns" or "$r-P_5"?
It's clear that the 8 character lower-case "unicorns" could be broken by a simple dictionary attack (maybe 20-ish bits of entropy), while the 6 character "$r-P_5" obviously would not. The latter would need a brute force across 6 characters, mixed case + numeri
Re:Not Really Sold on the Correlations (Score:4, Insightful)
The only thing this study shows is the most popular passwords used by people who don't care about security.
Good passwords will be reasonably unique. When you try to find the most common passwords, of course the bad ones will bubble up to the top, even if only a fraction of a percent of people use them. This list might be interesting, but it doesn't really show anything significant about Gawker's users.
Re: (Score:2)
I don't know about the graphs and statistics they generated from this. First of all, you don't know how many out of the total set of users were stolen and the ones that were decrypted were probably the obvious ones (via rainbow tables? was Gawker using salt?). Perhaps this adds a bit of slant to any statistics generated? Anyway:
Apparently Gawker was using DES (really?!) and with the password in its source code
So yeah, it's pretty easy to decode it
Re: (Score:2)
I don't think the point was that they could "decrypt" obvious passwords. I think the actual point is the fact that real people are STILL using obvious passwords!
Either they are naive and think their account won't get hijacked or they don't care since the account was likely just created to make one comment in the forums and doesn't matter.
123456? (Score:5, Funny)
Re: (Score:2)
"Cleverly fooled ya!"? I think you meant FOOLED YOU!
Please excuse me for a moment (Score:4, Funny)
No need (Score:2)
I have to change the password on my luggage.
Don't worry about it; I took the lock also.
Re: (Score:2)
My password (Score:5, Funny)
Re:My password (Score:5, Funny)
I'm sure someone else must use hunter2
Re:My password (Score:5, Funny)
You know, it just shows up as ******* when you type hunter2. Slashdot automatically blocks your password if you type it.
Re:My password (Score:4, Funny)
wait, how did you know my pw?
Re: (Score:2)
It's wide-open in the post, of course. You do realise that the password box only displays stars or dots to you ? We're on the other side of the slashdot servers,so we see it in plain text.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That password is too short to use on my site. A minimum of 8 is required. It looks like xyzzy and x-ray has fallen out of the top spots.. I must be getting old.
Re: (Score:2)
The old Wizardry games on the Apple ][ would add a pseudo-random number of asterisks when typing in a character password. This way, if someone saw 8 asterisks, it could be a 2 character password, or longer. Since it was the same number of characters, one could use that to doublecheck if they had the right password typed as well.
Smarter security systems also follow this lead. So, "******" may not be "hunter2", but "1234".
So what? (Score:3)
Seriously, what are "hackers" going to do with my account? It's not even under my real name.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
No... for the really secure sites you need to use Abcd1234
Re: (Score:3)
Yes they tend to, but the top 50 are almost all counter-examples to that tendency. It's the bottom 100000 that you should worry about.
Re: (Score:2)
Exactly. Look at how many passwords were gizmodo or engadget. Its a useless account -- does anyone really care if someone is now able to post comments or get replies to a site like this. It shows that users have individual passwords for the sites, and probably good odds that they are using "real" passwords for sites that matter.
Re: (Score:2)
4chan's /b/ and anons are like, a bouncy ball, a ball that is capable of making you happy, and be fun.
Lesson:
Do not taunt happy fun ball.
Get a LIFE! (Score:2, Insightful)
Depends on whether you meticulously memorize or keep a record of dozens of passwords...
No, I don't. I use the same password /UID for *EVERY* bullshit site that really doesn't matter that much but I want to see the "subscription" content. And yes, I don't care if people know the UID / PASS to the bullshit sites that really doesn't matter that much but I want to see the "subscription" content. Folks, it's Gawker. If you're stressing over the disclosure of your Gawker UID/PWD, you seriously need to get a life.
What this shows us (Score:3)
Re: (Score:2)
if your username + password lets people guess on anything, they're going to try it on every site that exists to try to exploit it.
so actually, yes, this does matter if you didn't take the proper steps to make it hard to identify the email address/username/etc used in the original registration.
Re: (Score:3)
Re: (Score:2)
> Most people...
I'm sorry, is this FOX News?
Isn't it obvious? (Score:2)
Strong password are unique, weak passwords are not (Score:2)
Re: (Score:2)
I'm not sure that follows.
If "strong" is defined as "this cracking software takes an ungodly amount of time to guess it," it's possible that a plurality of some tech-savvy community could have the same otherwise-random string of characters. Unlikely, but possible.
If only 200k of 1000k passwords were cracked, there's still the potential of some strong password being the most popular.
I use a stupid password for stupid sites (Score:5, Interesting)
The idea that a password is neccessary for such an account is idiotic. No one cares about hacking it (or if you do, then you have an unhealthy obsession with TV).
Gawker is a similar timewaster. Wasting your brain power to create/remember a good password for it is foolish.
I see nothing wrong with using "123456" or "password" for it. I am also pretty sure that most intelligent people that use stupid passwords for stupid web sites, don't use stupid passwords for their bank account or their primary email (but maybe for an email they feed to spammers that offer 'deals' if you give them your email.)
Re: (Score:3)
Re: (Score:3)
if there's an email address linked, then expect that email address to be tested across hundreds of sites and then they can rainbow attack sites that validate your email address (it's easy enough to do).
Basically, signing up with a legitimate email address is a huge mistake.
Re: (Score:2)
I find that typing "pwgen -s" and copying one of the random passwords that result requires very little of my brain power. Your brain may vary. Of course, I also write down all of my passwords[1]...
[1] Except my GPG passphrase, of course. That has never been written down anywhere.
Re: (Score:2)
Re: (Score:3)
I do hope that all of the folks (not just the OP - there are many in this thread) that are saying "it doesn't matter, I'll just get another accoun
Re: (Score:2)
So people can use your account to pretend to be you and saying bad things?
Re: (Score:2)
Um, yeah that wasn't me. Someone else said all that under my account. Honest!
What the hell does it matter? (Score:2)
What the hell does it matter which password I use for a throwaway comment account on some website? Honestly. Oh noes, someone guessed my password...and...logged in as me? Big deal. "And nothing of value was lost"
I suppose there are those whose lives and self-worth are determined by the snarky and cruel comments they make online, but I suppose such persons would use a for their highly valuable commenting account, without which their lives would have no meaning. [impnerd.com]
Re: (Score:2)
Re: (Score:2)
The "big deal" is that the site admins will now have to deal with the resulting comment spam.
Re: (Score:2)
Different Passwords (Score:2)
Banks, insurance, work, email and the like get much stronger passwords.
If someone were to compromise my password on a less important site, who cares? I certainly don't.
Re: (Score:2)
Exactly
I have 3 levels of password security. "Stupid sites" get the simpler password.
Also, for simple sites that I don't trust I have yet another password (simple as well, but different)
How to interpret the data (Score:2)
Ok, so we know there are a lot of accounts created for a public web site that have weak passwords.
Do we know that these accounts were "serious" accounts, and not throwaway accounts?
It could be, and likely is, that people don't care as much about securing their accounts as they should. It could also be that a lot of people needed to log in to gawker to access something one time, didn't plan to ever return, went through the account creation process with a throwaway password that they didn't care about, and t
consider what was being "secured" (Score:4, Insightful)
The golden couple of Disney breaks up on Vanessa's 22nd birthday. Katie Couric goes to a Bieber concert. Michael C. Hall divorces. Miley barters for her bong video with Macbooks. Tuesday gossip is always a trade-off.
I mean hell, I wouldn't even use my real name or my established nick on a site like that. What the hell does it matter what the password is, at that point? I very minimal amount of security simply to allow for a very minor amount of distinction between posters, but if it's lost...
Anyway, the passwords used there shouldn't really be held against someone - just sayin.
Important things to note. (Score:2)
Whats with the Names? (Score:2)
Re: (Score:2)
Michael Jordan and Michelle Obama, I guess.
And the reason is (Score:4, Interesting)
that people probably don't care if someone steals their "commenting" account password.
The only reason to create it in a first place was because they just wanted to show their nick.
I bet if someone checked Washington Post account database passwords, there'd be the same amount of "Blahblahs" and "F*ckoff123"
Re: (Score:2)
and a lot of "bugmenot"...
Re: (Score:2)
This is why I use tiered passwords. (Score:4, Interesting)
This way, I have damage control. If something gets compromised, it's not going to affect as much. Gawker gets hacked, I change my password for a dozen websites, but don't have to worry about my email being stolen or my bank account being drained. Likewise, if someone does manage to hijack my email account, I can tell people over Facebook that it happened, and not to trust that email address anymore. Yes, it's still not as secure as unique passwords for every site, but it's significantly easier on the memory.
Re: (Score:2)
Same system I used when I was younger. Nowhere near as good as using KeePassX [keepassx.org], which will run on nearly every OS, from USB, and on mobile phones. Each and every site login has a unique password, like "xY5C=r%|yH`", and when I want to log in I just select "copy password to clipboard" over the entry and paste in. Also helps avoid keyloggers. You have one master password, and simply make sure you back up your encrypted password file.
This way, if a site is compromised then it has no damage outside of that accou
Re: (Score:3)
I just select "copy password to clipboard" over the entry and paste in. Also helps avoid keyloggers.
A keylogger that doesn’t monitor the clipboard? Lame...
Re: (Score:2)
Savviest? (Score:2)
Readers of Gizmodo, Lifehacker and other Gawker Media sites may be among the savviest on the Web...
What are you basing that on?
Dark Helmet (Score:2)
passwords inherently suck (Score:2)
Many people (not necessarily us super-smart slashdotters, but in the media and in general) appear to be taking the wrong lesson from this. This data breech shows that it doesn't really matter how good your password is if the list is not stored securely.
In this case, they were encoded with the flawed and ancient "crypt" method, which allowed the weakest passwords to be brute-forced very quickly. But there's plenty of CPU power out there, and rest assured that any stronger passwords wouldn't stand up to furth
Re: (Score:2)
Crypt isn't that flawed and ancient. It can also do blowfish, SHA512, and SHA256. You can also force a number of rounds too, to make hashing much more time consuming.
http://php.net/manual/en/function.crypt.php [php.net]
Here is example code & output copied from that link: ...
if (CRYPT_SHA512 == 1) {
echo 'SHA-512: ' . crypt('rasmuslerdorf', '$6$rounds=5000$usesomesillystringforsalt$') . "\n";
Standard DES: rl.3StKT.4T8M
Extended DES: _J9..rasmBYk8r9AiWNc
MD5: $1$rasmusle$rI
so? (Score:2)
Similar analysis here (Score:2)
Re: (Score:2)
At some point in Gawker's history, they switched to bcrypt hashes. The only problem is that people don't change their passwords a lot, so anyone who signed up before the change probably just had the old crypt(3) hash. crypt(3) is a hash, incidentally. It's just ... fairly easy to compute and run through with DES as the algorithm. The reason all of those passwords were exposed was because they were cracked, not because they were decrypted.
Modern methods of hashing use multiple rounds of hash in order to
Re: (Score:2)
Fair point. I can imagine a line of thought that would lead to not doing this (mostly how the code is naturally separated) but it's not a very good one.
What's interesting to me is that some entries in the database had non-null values in both hash fields. I'm not sure if Gawker kept the old hash at a password change or what.
Re: (Score:2)