The Top 50 Gawker Media Passwords

wiredmikey writes "Readers of Gizmodo, Lifehacker and other Gawker Media sites may be among the savviest on the Web, but the most common password for logging into those sites is embarrassingly easy to guess: "123456." So is the runner-up: "password." On Sunday night, hackers posted online a trove of data from Gawker Media's servers, including the usernames, email addresses and passwords of more than one million registered users. The passwords were originally encrypted, but 188,279 of them were decoded and made public as part of the hack. Using that dataset, we found the 50 most-popular Gawker Media passwords."

Not Really Sold on the Correlations

[eldavojohn]

I don't know about the graphs and statistics they generated from this. First of all, you don't know how many out of the total set of users were stolen and the ones that were decrypted were probably the obvious ones (via rainbow tables? was Gawker using salt?). Perhaps this adds a bit of slant to any statistics generated? Anyway:

A plurality of Gawker Media passwords are six characters long, but we wondered whether that and other results might differ based on the user’s email provider. Indeed, users of Google and Yahoo’s email services are more likely than Microsoft email users to have passwords of eight or more characters.

Well, Hotmail and Yahoo! require six characters or more and Google requires eight characters or more. Explains the Google/Microsoft difference anyway: People are lazy. While you're statements aren't false, I fail to see their confidence or usefulness. Or are we just trying to pat ourselves on the back for using Google and being part of the "elite?" The funny thing is that if your password is showing up here, it's just as "strong" as the other ones that fell victim to this kind of attack! Regardless of length! Take your pick, "unicorns" or "$r-P_5"?

Popular passwords vary, as well: Gmail users are bigger X-Files fans ("trustno1") and more likely to opt for the slightly clever variant "passw0rd."

Or you're just staring at random data trying to make something out of it. "Slightly clever variant"? Ha, well, whoever decrypted this passwords had that one in mind, you know that for sure. Anything even remotely clever would not show up in here.

Yahoo and Microsoft email users, meanwhile, are much more likely to get sappy with their passwords: "iloveyou."

Come on, one example leads to that kind of generalization?

Re:Not Really Sold on the Correlations

[Sancho]

The beauty of Open ID is that anyone can run a provider. Even you.

The ugliness of it is that you log in with a URL (that's a paradigm shift for a lot of people). Ever seen Google's OpenID URL? https://www.google.com/accounts/o8/id [google.com] (and I can never remember if there's a trailing slash, so I often end up trying to log in twice.) And if the provider goes down, you're locked out of pretty much everything. Of course, that's a benefit, too. If someone breaks into your own OpenID server, you can pull the plug and they lose access to all of those accounts.

Re:Perfect example:

[butalearner]

If you want to check yourself, head to this Google Fusion table [google.com]

Instructions are right there on the page, but you take the md5sum of your email address (e.g. "echo -n email@address.com | md5sum") and check it against the list (click "Show Options" and selected MD5 = . This doesn't mean your password was decrypted, but at the very least the encrypted version is out there. You can check this other Google Fusion table [google.com] for your password.

Re:Perfect example:

[Anonymous Coward]

All my porn site passwords only use keys on the left side of the keyboard only so I can type them quickly one-handed.